MicrosoftMicrosoftThanks so much Alan for being so responsive!!
I noticed the advisory was updated late Feb with an FAQ, which mentions that .Net apps should not need code changes, but other notes recommend making application updates, so it was a little unclear if .Net apps do indeed need changes or if the framework would handle it once the settings are enforced. We do not have a separate domain that we can use for testing these settings, so we would either need to make the assumption that .Net apps will be fine with the enforced settings or make code changes to ensure we can test and confirm the secure connections. Is there a specific recommendation for .Net apps? While monitoring, we can also see that our SQL Servers are making unsecure ldap connections even though we don't query ldap directly from them.
How do clients use SSL/TLS CBT, do I have to change the applications?
Windows applications that are built on .NET Framework, Active Directory Service Interfaces (ADSI), or make LDAP calls into WLDAP32 which handles LDAP signing and channel binding for you. Please contact your SDK equivalent for non- windows device O/S, service, and applications.
Does this mean we have to move all LDAP applications to port 636 and switch to SSL/TLS?
No. When SASL with signing is used, LDAP is more secure over port 389.
