XtremIO: Microsoft LDAP Channel Binding and LDAP Signing requirements

The following environments are affected:

XtremIO XMS systems using normal LDAP authentication from a Microsoft Active Directory server (only LDAPS is supported. See Resolution section below for more details).

Applicable affected Windows OS releases affected by this change can be seen here:  https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Microsoft announced they will be making changes which will update Active Directory (AD) to set its default LDAP security configuration to use LDAP Channel Binding and LDAP Signing by March 2020 in order to harden security for the AD application.

As a result, there are certain configurations required on the XtremIO XMS in order to support this change.

More details about the Microsoft changes can be found in the Microsoft article shown here:  https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

In order to ensure this change does not affect any XMS systems that are currently using AD for user authentication, verify that Secure LDAP (LDAPS) is configured. Normal LDAP will not support the changes to Active Directory! 

To verify this configuration, perform one of the following (note: The XMS can contain multiple LDAP configurations):

• Login to the XMCLI and run show-ldap-configs. Collect the "LDAP-Servers" information.
• Login to the GUI, navigate to System Settings (gear icon) --> Security --> LDAP Configuration. Collect the "Server URL" information.

For either method used, the collected information will be similar to the following (the example below shows a configuration with two LDAP servers):
 

In this example, the ldaps and 3269 together indicate that this XMS is configured. If these are both present, they indicate LDAPS is configured. If it instead says "ldap", or has a different port number than what it shown above*, then LDAPS is not configured.

*(An LDAP server can be setup to use a different port number with LDAPS authentication, but it must be verified that the LDAP server is actually listening for traffic on the specified port number with LDAPS).

For additional information on how to configure LDAPS, see the "Configuring the LDAP Users Authentication" section of the XtremIO User Guide.

XtremIO Family, XtremIO HW Gen2 400GB, XtremIO HW Gen2 400GB Encrypt Capbl, XtremIO HW Gen2 400GB Encrypt Disable, XtremIO HW Gen2 400GB Exp Encrypt Disable, XtremIO HW Gen2 400GB Expandable, XtremIO HW Gen2 800GB Encrypt Capbl , XtremIO HW Gen2 800GB Encrypt Disable, XtremIO HW Gen3 40TB, XtremIO HW Gen3 40TB Encrypt Disable, XtremIO HW X2-R, XtremIO HW X2-R Encrypt Disable, XtremIO HW X2-S, XtremIO HW X2-S Encrypt Disable, XtremIO HW X2-T, XtremIO HW X2-T Encrypt Disable, XtremIO X1, XtremIO X2 ... View More View Less