Enabling LDAP signing and sealing on the CIFS server
2019-12-15 08:40 AM
In January Microsoft will force "LDAP Signing" (LDAPS) and "channel binding" which will make all unencrypted connections impossible to the ActiveDirectory Domain Controllers.
We are running several SVMs (NetApp Release 9.6P3) which currently still do unencrypted LDAP queries on our Active Directory infrastructure domain controllers. These connections generate an MS "event id 2889".
The security style of those SVMs are NTFS only and only accessed from Windows clients.
From what I understood, there are 2 ways of switching to the ldap "sign and sealing mode". The first and simpliest method is changing the session-security-for-ad-ldap setting to "seal", which I did for all SVMs, and to be sure, I also restarted all CIFS Server of the SVMs.
Unfortunately, this doesn't seam to work or at least not always, because SVMs still query in clear (no SSL/TLS) as we still log some "event id 2889" on our Domain Controllers from all SVMs. All connections that are logged are made from the SVM computer account like: "DOMAIN\SVMCITEST2103$"
I would really appreciate some help, ideas or any hint to fix this issue?
Is there some log file (I could view or inspect) and/or any additional ontap commands we could use in Ontap to troubleshoot this kind of issues?
Thank you very much for any help!