Data ONTAP Discussions

Enabling LDAP signing and sealing on the CIFS server

Hello,

In January Microsoft will force "LDAP Signing" (LDAPS) and "channel binding" which will make all unencrypted connections impossible to the ActiveDirectory Domain Controllers.

 

We are running several SVMs (NetApp Release 9.6P3) which currently still do unencrypted LDAP queries on our Active Directory infrastructure domain controllers. These connections generate an MS "event id 2889".

 

The security style of those SVMs are NTFS only and only accessed from Windows clients.

 

From what I understood, there are 2 ways of switching to the ldap "sign and sealing mode". The first and simpliest method is changing the session-security-for-ad-ldap  setting to "seal", which I did for all SVMs, and to be sure, I also restarted all CIFS Server of the SVMs.

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-77F3AAB5-D8A2-43D7-803D-8797BB75334E.html&lang=en

 

Unfortunately, this doesn't seam to work or at least not always, because SVMs still query in clear (no SSL/TLS) as we still log some "event id 2889"  on our Domain Controllers from all SVMs.  All connections that are logged are made from the SVM computer account like: "DOMAIN\SVMCITEST2103$"

 

I would really appreciate some help, ideas or any hint to fix this issue?

 

Is there some log file (I could view or inspect) and/or any additional ontap commands we could use in Ontap to troubleshoot this kind of issues?

 

Thank you very much for any help!

Kind regards,

Didier

10 REPLIES 10

Re: Enabling LDAP signing and sealing on the CIFS server

I'm being told there is a fast track RFE on this.  I would suggest your company enable the gpo from MS that bypass enforcement of this setting after the patch come out until all vendors are inline with this setting

Re: Enabling LDAP signing and sealing on the CIFS server

Have you seen any additional guidance about this issue or determined the appropriate course of action?  This deadline is fast approaching

Re: Enabling LDAP signing and sealing on the CIFS server

Hello,

 

This KB may help you:

 

https://kb.netapp.com/app/answers/answer_view/a_id/1103575

 

Cheers

Re: Enabling LDAP signing and sealing on the CIFS server

Hi - you mentioned a RFE concerning continued 2889 messages indicating insecure LDAP connections even after enabling the sign/seal options in ontap.  Did you get any further response from Netapp concerning this? We're seeing the same disquieting issue.

 

Thanks

Re: Enabling LDAP signing and sealing on the CIFS server

Thanks, I was looking for that event ID that gets triggered b/c our vulnerability team is still getting them upon implementing this.

Re: Enabling LDAP signing and sealing on the CIFS server

Some registry changes need to be made on the DCs to enable this eventid otherwise you just get a daily summary message.  Once the logging level is increased for LDAP you can get 2889 errors containing the IPs of each attempted connection.  We're seeing occasional insecure LDAP connections on our test SVM  - even after applying the recommended settings.   We can disasble them entirely by fiddling with some of the other cifs security options - but we'd like proper advice on what's appropriate to change

Re: Enabling LDAP signing and sealing on the CIFS server

Yes, I think i'm in the same boat

Re: Enabling LDAP signing and sealing on the CIFS server


@DaveFord wrote:

Some registry changes need to be made on the DCs to enable this eventid otherwise you just get a daily summary message.  Once the logging level is increased for LDAP you can get 2889 errors containing the IPs of each attempted connection.  We're seeing occasional insecure LDAP connections on our test SVM  - even after applying the recommended settings.   We can disasble them entirely by fiddling with some of the other cifs security options - but we'd like proper advice on what's appropriate to change


Quick Question, where did you see that RFE

Re: Enabling LDAP signing and sealing on the CIFS server

I haven't seen any RFE - you mentioned an RFE in your post in December.  We've raised a support ticket with NetApp to get an answer to this.

Dave

Try the new BETA Support Site!
Beta Support Site
Forums