Configuring SharePoint 2013 FBA with secure LDAP

New Contributor

We currently have a 2013 Farm with FBA configured to use LDAP authentication.  

 

Due to the upcoming security changes to LDAP Default settings (see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023), we need to enable secure LDAP communications for FBA.

 

I can find dozens of articles online about how to configure FBA, but they all use normal LDAP (i.e. port 389/no SSL).  I have yet to find one enabling secure LDAP.

Example:

 

<membership>
   <providers>
      <add name="LdapMember" 
         type="Microsoft.Office.Server.Security.LdapMembershipProvider,
 Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
 PublicKeyToken=71e9bce111e9429c" 
         server="dc.sharepoint.com" 
         port="389" 
         useSSL="false" 
         userDNAttribute="distinguishedName" 
         userNameAttribute="sAMAccountName" 
         userContainer="OU=SPUsers,DC=sharepoint,DC=com" 
         userObjectClass="person" 
         userFilter="(ObjectClass=person)" 
         scope="Subtree" 
         otherRequiredUserAttributes="sn,givenname,cn" />
   </providers>
</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > 
   <providers>
      <add name="LdapRole"
         type="Microsoft.Office.Server.Security.LdapRoleProvider, 
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
PublicKeyToken=71e9bce111e9429c"
         server="dc.sharepoint.com" 
         port="389"
         useSSL="false"
         groupContainer="OU=SPUsers,DC=sharepoint,DC=com"
         groupNameAttribute="cn"
         groupNameAlternateSearchAttribute="samAccountName"
         groupMemberAttribute="member"
         userNameAttribute="sAMAccountName"
         dnAttribute="distinguishedName"
         groupFilter="(ObjectClass=group)"
         userFilter="(ObjectClass=person)"
         scope="Subtree" />
   </providers>
</roleManager>

 

 

Is enabling secure LDAP as simple as changing the following?

  •  port="389" => port="636"
  •  useSSL="false" => useSSL="true"

Or are there settings elsewhere that need to be configured as well?

 

Update (5-Feb-2020):

 

So, I have partially answered my question.

In a test Environment, I made the changes to use port 636 and set useSSL="true", but I still get the same log entry when logging in:

 

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

 

So, I thought that perhaps I need to change the policies to "require signing" for the Server and Client.  I adjusted the group policies, but it still logged the event, only with the added bonus of the logon failing. :unamused:

 

So, now my question goes from "is it as simple as...?" to just "are there settings elsewhere that need to be configured as well"?

 

Thanks,

Eric

1 Reply

I got same issue. Is SharePoint 2013 couldn't support secure LDAP? Any specialist could help?