1 Reply Latest reply on Jul 2, 2020 8:48 AM by DennisR

    VRLI integrating with active directory where LdapEnforceChannelBinding = 2

    DennisR Novice



      in an ongoing support request I got the answer that vRealize Loginsight (VRLi) can not be integrated with an Active Directory with the following secure settings (specifically with the last one):


      Network security: LDAP client signing requirements - Negotiate signing

      Domain controller: LDAP server signing requirements - Require signature

      LdapEnforceChannelBinding- DWORD value: 2


      Background on this setting:

      "In March Microsoft will be releasing a patch that includes new audit events, additional logging, and some changes to group policy settings. Later in 2020, Microsoft will be changing the behavior of the default values for LDAP channel binding and signing. They’re making these changes because the current default settings allow for a potential man-in-the-middle attack that can lead to privilege escalation"


      From support : VRLi is not supporting "channel binding tokens (CBT)"


      So my question is - have anyone found a way to work around this to make it possible to use VRLi with AD logins even though LdapEnforceChannelBinding is set to "2" ?