IT Professionals:
The Campus Communications Infrastructure team would like to remind you that Microsoft has announced that it will be requiring binding and signing of LDAP queries for all Windows hosts in the January 2020 OS Security patch [1,2]. The Active Directory Servers at IU are currently monitoring client connections that will fail when the patch is applied.
At the moment, that list of hostnames includes a significant number of macOS machines, joined to Active Directory [3] or connecting to Exchange. However, we do not anticipate any issue for Macs bound to Active Directory. If an AD bound macOS client is experiencing a login issue, you will need to rejoin it to the Active Directory [4].
There are also quite a number of service accounts or user accounts connected to unknown services, some of which reside on Data Center IP address space.
Actions for IT Pros
For macOS clients using Outlook, please enable signed LDAP queries [5].
For Enterprise Service Owners, please check your data center VLANs against the included list, to make sure your services are not included. If you do have enterprise services in the list, please check any LDAP connections on those hosts, to see if you can configure changes to require binding or signing.
For other clients, IT Pros can attempt to locate an application or service that is running as the indicated user or machine object that connects via LDAP, and see if that application can be configured to require binding or signing.
The Active Directory Admins will continue to update this folder with impact lists. From the initial run-through, just over 3800 distinct internal hosts are affected.
If you have any further questions, please contact sct2@iu.edu.
–IT Community Partnerships on behalf of the Campus Communications Infrastructure team
[1] https://support.microsoft.com/en-ca/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
[2] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
[3] Impact List, Box Entrusted [Login Required]: https://iu.box.com/s/p8r805t4air9xujzl121b73nhzo6nwg4
[4] Configure macOS login for ADS: https://kb.iu.edu/d/aziv
[5] Enable signed LDAP for macOS: https://kb.iu.edu/d/bccz
~~~~~ Today’s IT Pro Tip ~~~~~
NameCoach is available for people listings within the IU Directory and the Canvas Photo Roster – just look for the audio symbol next to the person’s name. All IU faculty, staff, and students have access to NameCoach, a tool for recording your name so others can learn how to pronounce it. Plus, you can copy your name badge into your email signature and add your name page to your social media. Learn more.