<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic VRLI integrating with active directory where LdapEnforceChannelBinding = 2 in VMware Aria Operations for Logs Discussions</title>
    <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/VRLI-integrating-with-active-directory-where/m-p/2317948#M2105</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;in an ongoing support request I got the answer that vRealize Loginsight (VRLi) can not be integrated with an Active Directory with the following secure settings (specifically with the last one):&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Network security: LDAP client signing requirements - Negotiate signing &lt;/P&gt;&lt;P&gt;Domain controller: LDAP server signing requirements - Require signature &lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;LdapEnforceChannelBinding&lt;/STRONG&gt;- DWORD value: &lt;STRONG&gt;2&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Background on this setting: &lt;/P&gt;&lt;P&gt;"In March Microsoft will be releasing a patch that includes new audit events, additional logging, and some changes to group policy settings. &lt;STRONG&gt;Later in 2020, Microsoft will be changing the behavior of the default values for LDAP channel binding and signing&lt;/STRONG&gt;. They’re making these changes because the current &lt;STRONG&gt;default settings allow for a potential man-in-the-middle attack&lt;/STRONG&gt; that can lead to privilege escalation"&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;From support : VRLi is not supporting "channel binding tokens (CBT)"&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;So my question is - have anyone found a way to work around this to make it possible to use VRLi with AD logins even though LdapEnforceChannelBinding is set to "2" ?&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Thu, 02 Jul 2020 10:13:00 GMT</pubDate>
    <dc:creator>DennisR</dc:creator>
    <dc:date>2020-07-02T10:13:00Z</dc:date>
    <item>
      <title>VRLI integrating with active directory where LdapEnforceChannelBinding = 2</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/VRLI-integrating-with-active-directory-where/m-p/2317948#M2105</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;in an ongoing support request I got the answer that vRealize Loginsight (VRLi) can not be integrated with an Active Directory with the following secure settings (specifically with the last one):&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Network security: LDAP client signing requirements - Negotiate signing &lt;/P&gt;&lt;P&gt;Domain controller: LDAP server signing requirements - Require signature &lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;LdapEnforceChannelBinding&lt;/STRONG&gt;- DWORD value: &lt;STRONG&gt;2&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Background on this setting: &lt;/P&gt;&lt;P&gt;"In March Microsoft will be releasing a patch that includes new audit events, additional logging, and some changes to group policy settings. &lt;STRONG&gt;Later in 2020, Microsoft will be changing the behavior of the default values for LDAP channel binding and signing&lt;/STRONG&gt;. They’re making these changes because the current &lt;STRONG&gt;default settings allow for a potential man-in-the-middle attack&lt;/STRONG&gt; that can lead to privilege escalation"&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;From support : VRLi is not supporting "channel binding tokens (CBT)"&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 12.0pt; font-family: 'Times New Roman',serif;"&gt;So my question is - have anyone found a way to work around this to make it possible to use VRLi with AD logins even though LdapEnforceChannelBinding is set to "2" ?&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 02 Jul 2020 10:13:00 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/VRLI-integrating-with-active-directory-where/m-p/2317948#M2105</guid>
      <dc:creator>DennisR</dc:creator>
      <dc:date>2020-07-02T10:13:00Z</dc:date>
    </item>
    <item>
      <title>Re: VRLI integrating with active directory where LdapEnforceChannelBinding = 2</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/VRLI-integrating-with-active-directory-where/m-p/2317949#M2106</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;&lt;STRONG&gt;Solved&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Just to let you know if you stumble upon the same issue:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;VRLi dev teeam had a &lt;STRONG&gt;non-public HotFix&lt;/STRONG&gt; for this that will (probably?) be included in future releases, Solved it for me anyhow.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 02 Jul 2020 15:48:36 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/VRLI-integrating-with-active-directory-where/m-p/2317949#M2106</guid>
      <dc:creator>DennisR</dc:creator>
      <dc:date>2020-07-02T15:48:36Z</dc:date>
    </item>
  </channel>
</rss>

