Secure LDAP for Microsoft Active Directory

Microsoft released a security advisory (Advisory ADV190023) to increase the security for communication between LDAP clients and AD Domain Controllers.  These security updates to Active Directory connections will affect customers who are currently using non-secure LDAP connections to Active Directory. The non-secure, LDAP traffic (without SSL/TLS) is unsigned and unencrypted and is vulnerable to man-in-the-middle attacks to windows LDAP servers.

As per the Microsoft security advisory referenced above, Microsoft will be implementing a change that will, by default, enable LDAP channel binding and LDAP signing.  This upcoming security update will impact the Cisco Collaboration applications listed below that use LDAP for user synchronization and authentication.

After the update, LDAP connections to Active Directory from
these applications will not work unless Secure LDAP is configured.

  • Cisco Unified Communications Manager (CUCM)
  • IM and Presence Service (IM&P)
  • Cisco Unity Connection (CUC)
  • Cisco Expressway
  • Cisco Unified Intelligence Center (CUIC)
  • Cisco Meeting Server (CMS)
  • Cisco Meeting Management
  • Cisco Unified Attendant Console Advanced

SMP strongly advises customers to enable secure LDAP for Cisco Collaboration applications. If you already have secure LDAP (LDAPS) configured for all connections to Active Directory, no additional configuration updates are required.  A Windows Update will be released by Microsoft in the second half of the Calendar year 2020 for all supported Windows platforms. It will enforce LDAP channel binding and LDAP signing on Active Directory servers by default.  As part of enabling secure LDAP over TLS, you must also make sure that the appropriate LDAP trust certificates are loaded onto each Cisco Collaboration application.

For more detailed information, please refer to:

Microsoft Security Advisory ADV190023: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Cisco Software Advisory: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/trouble/12_5_1/fieldNotice/cucm_b_fn-secure-ldap-mandatory-ad.html

More-Info

For more information or if you would like assistance in completing any of the configuration work related to Secure LDAP for Collaboration applications, please reach out to your SMP Account Manager or
contact SMP directly.