Queries to Microsoft LDAP servers may fail after security hardening prevents clear text LDAP binds. This can impact the definition of a new activity, or, existing activities which use nonsecure LDAP authentication methods.
Example 1: Unable to define a new Activity using LDAP:
During, the setup of an Activity; when testing an LDAP query on the Select Datasources configuration page the following is displayed after pressing the "Execute" button:
Connecting...
Connected.
Running Query <LDAP Query Here>
LDAP Query Failed
Note: This error is generic and may also indicate that the query failed because the query syntax is bad and not due to an authentication issue.
If the query fails, the ExMMCAdmin.dll.log also records the following error which indicates an Authentication error:
CoExLDAPClient::TestConnection|ERROR|Strong Authentication Required System call failed. (0x86040100)|CoExLDAPClient.cpp(256)
Example 2: Existing Activities fail to run
Activities may generate recurring jobs which are defined run at a selected time. When run, the associated JBS job fails. Before security hardening both the JBS and JBC jobs succeed.
Example: an "Archive Historical" job fails to run. The associated ExArchiveJBS.exe.log logs the following errors after each failure:
CoExDirObjLookup::ExecuteLDAPSearch|ERROR|The following LDAP query failed: <LDAP Query Here>. (0x86041806)|CoExDirObjLookup_LDAP.cpp(1324)
CExJBSMailbox::Run|ERROR-LOGD|The following LDAP query failed: <LDAP Query Here>. (0x86041806) [ExArchiveJBS.exe, CoExDirObjLookup_LDAP.cpp(1324).CoExDirObjLookup::ExecuteLDAPSearch] |CExJBSMailbox.cpp(370)
Since the ExArchiveJBS.exe did not complete, no jobs with a task of type "Archive JBC" were generated. As a result, mailboxes are not processed.
This issue may occur if access to Active Directory via LDAP has been hardened and no longer supports an unsecured connection. Enforcement of LDAP channel binding and LDAP signing will no longer support unsecured access to LDAP over port 389. Reference Microsoft Security Advisory ADV190023.
Microsoft states "The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers."
The enforcement of these security settings is optional, however some administrators may choose to enforce secure connections as a best practice. This enforcement can cause unsecure connections to fail.
Activities can be updated or defined to use Active Directory Service Interfaces (ADSI) or LDAP over SSL.
To enable Active Directory Service Interfaces (ADSI):
- Edit existing activities or when creating Activities go to the Select Datasources configuration page.
- Select the Use Microsoft ADSI checkbox. If the check box is disabled, click the Edit button and select Server supports Microsoft ADSI Search.
- Press OK and the Use Microsoft ADSI box can now be selected.
- The query can now be tested using the query dialog and Execute button.
- Validate the query runs and returns the expected results.
- Continue through the configuration wizard to complete the update of the activity.
To enable LDAP over SSL:
Before configuring the LDAP server must have a trusted certificate in the Windows Certificate store which will allow LDAP over SSL connections to one or more Activity Directory servers.
- Edit existing activities or when creating new Activities go to the Select Datasources configuration page.
- Click the Edit button and select Server requires secure connection
- Next to Server Port press Use Default which updates the port to 636.
- Note: If LDAP over SSL uses a custom port, enter the custom port number.
- Press OK to update the changes to the server configuration.
- The query can now be tested using the query dialog and Execute button.
- Validate the query runs and returns the expected results.
- Continue through the configuration wizard to complete the update of the activity.