There was recent advisory from Microsoft about when the default configuration are used, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server
To know more about the advisory, click here
You can switch your LDAP to secure-LDAP to overcome this and dont have to wait until Microsoft resales a patch
Steps to create a self-signed certificate:
- Launch Windows Powershell on the domain controller as an administrator.
- Generate a self-signed certificate by running the following command:
$DN = “servername.domainname.com”
$newcert=New-SelfSignedCertificate -DnsName $DN -CertStoreLocation cert:/LocalMachine/My;
The $newcert object contains the generated self-signed certificate which is stored on your system certificate store in the CertStoreLocation location.
Steps to Install the Self Signed Certificate to your Active Directory Server which enables LDAPS:
- Launch Windows Powershell on the domain controller as an administrator.
- Run the following command to install your certificate and configure LDAPS:
- $thumbprint=($mycert.Thumbprint | Out-String).Trim();
$certStore=’HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates‘; - Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStore;
Setup MimeCast to use Secure LDAP.
- Login to https://login-uk.mimecast.com/
- Launch Administration Console
- Just above Dashboard, Click on Administration
- Click Services
- Click Directory Synchronization
- Check the box Encrypt Connection
- Set Encryption Mode “Relaxed”
- Change the Connection Port 636
- Click the Test Connection, and you will see the result,
Connection to primary hostname/ip address 180.0.191.130 on port 636:
Checking the IP address 180.0.191.130:
The IP address has a valid format.
The IP address is public.
Execute the connection with the given parameters:
Active Directory login completed
