Any news on this? Microsoft are to roll out the patch in mid-January 2020 and there's literally nothing that talks about this in a Horizon context.
I have a support case ongoing with VMware and I just got the following answer;
"I have received the update from our internal team that , We dont have to take any additional steps . View already uses signing for LDAP connections to local/global AD LDS instances, and to domain controllers.
So for cloud and on Premise deployments and View is ready for Microsoft updates for 2020."
Good news, but we still need to figure out what we need to do to secure the communication with Microsoft Active Directory from the Horizon View Connection Servers service accounts with either LDAP signing or via TLS.
We have activated log Event ID: 2889 according to "Identifying Clear Text LDAP binds to your DC’s", https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/
In the Windows event log filtered by Event ID 2889 we can see information like this;
"The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection."
Yeah not feeling overly confident on this one.. I received roughly the same answer from VMware support except they said "there shouldn’t be any negative side-effects"... Never says "Should be ok" to an IT guy.
Earlier in the year the AD team forced signing requests and our VDI environment became unavailable. Came back when they rolled back. That's the reason why I'm asking the VMware support to get it together on this one. There's nothing in the Horizon UI that suggests ldap/tls configuration.
This is just a follow up email to let you know that we are working with the concerned team to release a public KB article regarding the 2020 LDAP channel binding and LDAP signing requirement for Windows in Horizon environment at the earliest.
1 person found this helpful
And I got this from VMware Support:
View uses LDAP GSSAPI binds with signing, hence it’s already meets the “Require Signing” policy.
There would be a public KB article that would available regarding this. I would update you once it is available
And yet we both get 2889's on the DC.
I don't think so but I'm wondering if they think we're talking about the internal replicated LDAP DB... January sure is going to be fun.