LDAPS / SSL-only for Microsoft Active Directory connections
Microsoft is releasing an update in March 2020 across all operating systems to improve the security of LDAP connections between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. This update will enable LDAP channel binding and LDAP signing hardening changes to ensure that LDAP connections are protected against man-in-the-middle attacks.
This Microsoft update will force the use of an SSL connection when querying or authenticating users against Active Directory using LDAP.
You can find out more about this update on Microsoft’s support site: 2020 LDAP channel binding and LDAP signing requirement for Windows.
In anticipation of the release of this patch, Microsoft recommends forcing this communication to SSL before the patch is released, and making sure all your systems function correctly (so that you can be sure everything goes smoothly when the patch is released): ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
By default, PaperCut NG and PaperCut MF access Active Directory using native Active Directory APIs. This method does not utilize a traditional LDAP connection. If you are using this default configuration (displayed as Windows Active Directory in the PaperCut sync settings), then no changes are required, and this update will not affect your installation.
If your installation of PaperCut NG or PaperCut MF is configured to use an LDAP (non-SSL) connection to synchronize with Active Directory, then this will stop working after the Microsoft Update has been applied.
We recommend that any customers using a non-SSL connection to Active Directory to adjust their installation and configure an SSL connection. This should be a straightforward process of enabling the “Use SSL (Must be supported by LDAP server) checkbox as part of the **Options** > **User/Group Sync** settings.
Still have questions?
Let us know! We love chatting about what’s going on under the hood. Feel free to leave a comment below or visit our Support Portal for further assistance.
Keywords: microsoft authentication, LDAP, LDAPS, active directory