Configuring SharePoint 2013 FBA with secure LDAP

%3CLINGO-SUB%20id%3D%22lingo-sub-1149770%22%20slang%3D%22en-US%22%3EConfiguring%20SharePoint%202013%20FBA%20with%20secure%20LDAP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1149770%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20currently%20have%20a%202013%20Farm%20with%20FBA%20configured%20to%20use%20LDAP%20authentication.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDue%20to%20the%20upcoming%20security%20changes%20to%20LDAP%20Default%20settings%20(see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FADV190023%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FADV190023%3C%2FFONT%3E%3C%2FA%3E)%2C%20we%20need%20to%20enable%20secure%20LDAP%20communications%20for%20FBA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20find%20dozens%20of%20articles%20online%20about%20how%20to%20configure%20FBA%2C%20but%20they%20all%20use%20normal%20LDAP%20(i.e.%20port%20389%2Fno%20SSL).%26nbsp%3B%20I%20have%20yet%20to%20find%20one%20enabling%20secure%20LDAP.%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%3CMEMBERSHIP%3E%0A%20%20%20%3CPROVIDERS%3E%0A%20%20%20%20%20%20%3CADD%20name%3D%22LdapMember%22%20type%3D%22Microsoft.Office.Server.Security.LdapMembershipProvider%2C%0A%20Microsoft.Office.Server%2C%20Version%3D14.0.0.0%2C%20Culture%3Dneutral%2C%0A%20PublicKeyToken%3D71e9bce111e9429c%22%20server%3D%22dc.sharepoint.com%22%20port%3D%22389%22%20usessl%3D%22false%22%20userdnattribute%3D%22distinguishedName%22%20usernameattribute%3D%22sAMAccountName%22%20usercontainer%3D%22OU%3DSPUsers%2CDC%3Dsharepoint%2CDC%3Dcom%22%20userobjectclass%3D%22person%22%20userfilter%3D%22(ObjectClass%3Dperson)%22%20scope%3D%22Subtree%22%20otherrequireduserattributes%3D%22sn%2Cgivenname%2Ccn%22%3E%3C%2FADD%3E%0A%20%20%20%3C%2FPROVIDERS%3E%0A%3C%2FMEMBERSHIP%3E%0A%0A%3CROLEMANAGER%20enabled%3D%22true%22%20defaultprovider%3D%22AspNetWindowsTokenRoleProvider%22%3E%20%0A%20%20%20%3CPROVIDERS%3E%0A%20%20%20%20%20%20%3CADD%20name%3D%22LdapRole%22%20type%3D%22Microsoft.Office.Server.Security.LdapRoleProvider%2C%20%0AMicrosoft.Office.Server%2C%20Version%3D14.0.0.0%2C%20Culture%3Dneutral%2C%20%0APublicKeyToken%3D71e9bce111e9429c%22%20server%3D%22dc.sharepoint.com%22%20port%3D%22389%22%20usessl%3D%22false%22%20groupcontainer%3D%22OU%3DSPUsers%2CDC%3Dsharepoint%2CDC%3Dcom%22%20groupnameattribute%3D%22cn%22%20groupnamealternatesearchattribute%3D%22samAccountName%22%20groupmemberattribute%3D%22member%22%20usernameattribute%3D%22sAMAccountName%22%20dnattribute%3D%22distinguishedName%22%20groupfilter%3D%22(ObjectClass%3Dgroup)%22%20userfilter%3D%22(ObjectClass%3Dperson)%22%20scope%3D%22Subtree%22%3E%3C%2FADD%3E%0A%20%20%20%3C%2FPROVIDERS%3E%0A%3C%2FROLEMANAGER%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRIKE%3EIs%20enabling%20secure%20LDAP%20as%20simple%20as%20changing%20the%20following%3F%3C%2FSTRIKE%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%26nbsp%3Bport%3D%22389%22%20%3D%26gt%3B%20port%3D%22636%22%3C%2FLI%3E%3CLI%3E%26nbsp%3BuseSSL%3D%22false%22%20%3D%26gt%3B%20useSSL%3D%22true%22%3C%2FLI%3E%3C%2FUL%3E%3CP%3EOr%20are%20there%20settings%20elsewhere%20that%20need%20to%20be%20configured%20as%20well%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EUpdate%20(5-Feb-2020)%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20I%20have%20partially%20answered%20my%20question.%3C%2FP%3E%3CP%3EIn%20a%20test%20Environment%2C%20I%20made%20the%20changes%20to%20use%20port%20636%20and%20set%20useSSL%3D%22true%22%2C%20but%20I%20still%20get%20the%20same%20log%20entry%20when%20logging%20in%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EThe%20following%20client%20performed%20a%20SASL%20(Negotiate%2FKerberos%2FNTLM%2FDigest)%20LDAP%20bind%20without%20requesting%20signing%20(integrity%20verification)%2C%20or%20performed%20a%20simple%20bind%20over%20a%20clear%20text%20(non-SSL%2FTLS-encrypted)%20LDAP%20connection.%3C%2FFONT%3E%20%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ESo%2C%20I%20thought%20that%20perhaps%20I%20need%20to%20change%20the%20policies%20to%20%22require%20signing%22%20for%20the%20Server%20and%20Client.%26nbsp%3B%20I%20adjusted%20the%20group%20policies%2C%20but%20it%20still%20logged%20the%20event%2C%20only%20with%20the%20added%20bonus%20of%20the%20logon%20failing.%3C%2FFONT%3E%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Funamused_40x40.gif%22%20alt%3D%22%3Aunamused%3A%22%20title%3D%22%3Aunamused%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ESo%2C%20now%20my%20question%20goes%20from%20%22is%20it%20as%20simple%20as...%3F%22%20to%20just%20%22%3CEM%3E%3CSPAN%3Eare%20there%20settings%20elsewhere%20that%20need%20to%20be%20configured%20as%20well%3C%2FSPAN%3E%3C%2FEM%3E%22%3F%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EEric%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1149770%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365891%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20SharePoint%202013%20FBA%20with%20secure%20LDAP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365891%22%20slang%3D%22en-US%22%3E%3CP%3EI%20got%20same%20issue.%20Is%20SharePoint%202013%20couldn't%20support%20secure%20LDAP%3F%20Any%20specialist%20could%20help%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We currently have a 2013 Farm with FBA configured to use LDAP authentication.  

 

Due to the upcoming security changes to LDAP Default settings (see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023), we need to enable secure LDAP communications for FBA.

 

I can find dozens of articles online about how to configure FBA, but they all use normal LDAP (i.e. port 389/no SSL).  I have yet to find one enabling secure LDAP.

Example:

 

<membership>
   <providers>
      <add name="LdapMember" 
         type="Microsoft.Office.Server.Security.LdapMembershipProvider,
 Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
 PublicKeyToken=71e9bce111e9429c" 
         server="dc.sharepoint.com" 
         port="389" 
         useSSL="false" 
         userDNAttribute="distinguishedName" 
         userNameAttribute="sAMAccountName" 
         userContainer="OU=SPUsers,DC=sharepoint,DC=com" 
         userObjectClass="person" 
         userFilter="(ObjectClass=person)" 
         scope="Subtree" 
         otherRequiredUserAttributes="sn,givenname,cn" />
   </providers>
</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > 
   <providers>
      <add name="LdapRole"
         type="Microsoft.Office.Server.Security.LdapRoleProvider, 
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
PublicKeyToken=71e9bce111e9429c"
         server="dc.sharepoint.com" 
         port="389"
         useSSL="false"
         groupContainer="OU=SPUsers,DC=sharepoint,DC=com"
         groupNameAttribute="cn"
         groupNameAlternateSearchAttribute="samAccountName"
         groupMemberAttribute="member"
         userNameAttribute="sAMAccountName"
         dnAttribute="distinguishedName"
         groupFilter="(ObjectClass=group)"
         userFilter="(ObjectClass=person)"
         scope="Subtree" />
   </providers>
</roleManager>

 

 

Is enabling secure LDAP as simple as changing the following?

  •  port="389" => port="636"
  •  useSSL="false" => useSSL="true"

Or are there settings elsewhere that need to be configured as well?

 

Update (5-Feb-2020):

 

So, I have partially answered my question.

In a test Environment, I made the changes to use port 636 and set useSSL="true", but I still get the same log entry when logging in:

 

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

 

So, I thought that perhaps I need to change the policies to "require signing" for the Server and Client.  I adjusted the group policies, but it still logged the event, only with the added bonus of the logon failing. :unamused:

 

So, now my question goes from "is it as simple as...?" to just "are there settings elsewhere that need to be configured as well"?

 

Thanks,

Eric

1 Reply
Highlighted

I got same issue. Is SharePoint 2013 couldn't support secure LDAP? Any specialist could help?