VMware Cloud Community
Chipperchoi
Contributor
Contributor
‎02-12-2020 03:46 PM
Jump to solution

Do I need to set up LDAPS if AD Integrated Windows Authentication is already set as the SSO identity source?

Hello all,

I am working on a few client infrastructures to get it prepped for the upcoming LDAP patch/fix in March.

Yes, I know, they should have been set up for LDAPS from the beginning but most are not as you can imagine.

I am looking at VCSA 6.7 for a client and they have the SSO set for AD Integrated Auth.

For some reason, DC thinks that the vCenter appliance is requesting simple LDAP binds in the event logs.

I read up on both options and it seems that they are different measures for SSO identity source but does the integrated auth still utilize LDAP binds?

Thanks for any input.

0 Kudos
1 Solution

Accepted Solutions
Alex_Romeo
Leadership
Leadership
‎02-12-2020 04:08 PM
Jump to solution

Hi,

I read up on both options and it seems that they are different measures for SSO identity source but does the integrated auth still utilize LDAP binds? YES!

Recommended Actions

Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.

A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.

ARomeo

Blog: https://www.aleadmin.it/

View solution in original post

0 Kudos
2 Replies
Alex_Romeo
Leadership
Leadership
‎02-12-2020 04:08 PM
Jump to solution

Hi,

I read up on both options and it seems that they are different measures for SSO identity source but does the integrated auth still utilize LDAP binds? YES!

Recommended Actions

Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.

A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos
Chipperchoi
Contributor
Contributor
‎02-12-2020 04:17 PM
Jump to solution

Ok thank you.


I will just leave it alone with the IWA.

I see the discussion about SASL settings being set but I guess that is not needed.

Thank you

0 Kudos