Whoops – sent the email a bit prematurely… Here’s a link to that VMware article with a recent update mentioning that defaults will not be changing in March.
https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html It seems the Cisco article is a bit behind and needs to be updated. Hopefully this buys everyone some time, especially for those supporting a number of environments. - Daniel Pagan From: Daniel Pagan Sent: Tuesday, February 11, 2020 2:33 PM To: Lelio Fulgenzi <le...@uoguelph.ca>; Matthew Loraditch <mloradi...@heliontechnologies.com> Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net> Subject: RE: [EXT] Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory It does not appear Microsoft will be enforcing LDAP over TLS with this upcoming patch. While the original plan was indeed to tighten this up, it seems this requirement is being delayed until after Q2 of the year. The advisory was updated February 4th and shows: Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers. A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings. I found that VMware updated their advisory to reflect this recent change to Microsoft’s timeline two days later: “Update (2/6/2020): On February 4, 2020 Microsoft changed their guidance for the March 2020 Windows Updates to indicate that the defaults will NOT be changing in that update.” From: cisco-voip <cisco-voip-boun...@puck.nether.net<mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Sunday, February 9, 2020 6:05 PM To: Matthew Loraditch <mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com>> Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>> Subject: [EXT] Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory I believe we had to load two certs. And, after loading certs, restart tomcat. Sent from my iPhone On Feb 9, 2020, at 5:23 PM, Matthew Loraditch <mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com>> wrote: Interesting. Our root cert is and has been loaded, but I’m still using just the IPs so normally that would make the handshake fail. Get Outlook for iOS<https://aka.ms/o0ukef> Matthew Loraditch Sr. Network Engineer p: 443.541.1518<tel:443.541.1518> w: www.heliontechnologies.com<http://www.heliontechnologies.com/> | e: mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com> <image367180.png><http://www.heliontechnologies.com/> <image755198.png><https://facebook.com/heliontech> <image389775.png><https://twitter.com/heliontech> <image921900.png><https://www.linkedin.com/company/helion-technologies> <image157220.jpg> ________________________________ From: Lelio Fulgenzi <le...@uoguelph.ca<mailto:le...@uoguelph.ca>> Sent: Sunday, February 9, 2020 5:15:40 PM To: Matthew Loraditch <mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com>> Cc: James Buchanan <james.buchan...@gmail.com<mailto:james.buchan...@gmail.com>>; voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>> Subject: Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory [EXTERNAL] I couldn’t get secure ldap to work without loading the certificates from the AD servers. I also had more luck using the global catalog ports. Sent from my iPhone On Feb 9, 2020, at 5:05 PM, Matthew Loraditch <mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com>> wrote: I was wondering if they were going to post anything as it’s very unclear if ldap over tls was the fix. Apparently (and amen) it is. Did it on our office system last week to see if it would work without any certificate needs. It just worked and during a save it will instantly tell you if it worked or not. Outside of the most regimented environments you should be able to just make the change. If it fails talk to your AD team as they would likely have something blocked or disabled. Get Outlook for iOS<https://aka.ms/o0ukef> Matthew Loraditch Sr. Network Engineer p: 443.541.1518<tel:443.541.1518> w: www.heliontechnologies.com<http://www.heliontechnologies.com/> | e: mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com> <image502755.png><http://www.heliontechnologies.com/> <image552534.png><https://facebook.com/heliontech> <image068119.png><https://twitter.com/heliontech> <image315640.png><https://www.linkedin.com/company/helion-technologies> <image132003.jpg> ________________________________ From: cisco-voip <cisco-voip-boun...@puck.nether.net<mailto:cisco-voip-boun...@puck.nether.net>> on behalf of James Buchanan <james.buchan...@gmail.com<mailto:james.buchan...@gmail.com>> Sent: Sunday, February 9, 2020 4:57:40 PM To: voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>> Subject: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory [EXTERNAL] Hello folks, I know you all needed some more work. I sure did! So here you are! https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/trouble/12_5_1/fieldNotice/cucm_b_fn-secure-ldap-mandatory-ad.html I'm interested in any early thoughts on other integrations--vCenter, ISE, VPN, TACACS, etc. I assume it applies across the board. Thanks, James _______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
