cancel
Showing results for 
Search instead for 
Did you mean: 

F5 APM - Active Directory AAA profile and port 636 w/ SSL

nick
Nimbostratus
Nimbostratus

As you probably already know, Microsoft is enforcing all LDAP binds to require a secure channel binding or LDAPS in March 2020. This means port 389 for LDAP queries will fail after the March Windows patch is deployed.

 

Our ActiveSync and OWA Exchange VIPs were deployed using the Exchange iApp and have Active Directory AAA profiles for access through the APM. I've looked through the profile settings and do not see where to change the port from 389 to 636. How do we force the Active Directory AAA profiles to use 636 with SSL?

 

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-lda...

 

Edit: Did see another post regarding this and found this article that states no changes are necessary for Active Directory profiles? https://support.f5.com/csp/article/K30054212

8 REPLIES 8

boneyard
MVP
MVP

yes that is my understanding as well, if you use active directory as AAA server you should be fine.

WillC
Altostratus
Altostratus

read this other thread: https://devcentral.f5.com/s/feed/0D51T000074cnXxSAI

the f5 article was incorrect and now taken down: https://support.f5.com/csp/article/K30054212 (feb 5 access shows page not available)

 

AD query in APM policy will generate unsigned insecure LDAP.

needs to be changed to LDAP query via port 636.

 

so if you use AD auth also, likely need to change that to LDAP auth via 636 as an ldap query wont work without ldap auth first.

We've restored the article in question, and will update it further when we have more complete information. I apologize for the inconvenience, and the poor experience while the link was broken.

 

 

there is not much in the article now, do you know when we can expect an update?

There are still a few things pending clarification with Microsoft. I'll return with an update once the article is ready.

Kin
F5 Employee
F5 Employee

Investigations are still on-going; an update has been posted in the article https://support.f5.com/csp/article/K30054212

Kin
F5 Employee
F5 Employee

The article https://support.f5.com/csp/article/K30054212 has been updated after investigations

thank you Kin, great to see AD query should still be fine