Microsoft's planned changes to LDAP Signing will affect non-SSL/TLS LDAP authentication in Empower - WKB88530
Article number: 88530
SYMPTOMS
- Empower authentication attempts using non-SSL/TLS LDAP fail. The error message "Not enough storage is available to process this command. : User - username" appears.
- Empower users with "Always Local" accounts are able to log in successfully.
ENVIRONMENT
- Empower environments where authentication is configured to use non-SSL/TLS LDAP authentication methods
- Empower 2 FR5 and later
- Empower 3
CAUSE
Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers. A future monthly update, anticipated for release in the second half of 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
FIX or WORKAROUND
- Enable SSL/TLS security in the LDAP configurations for Empower, or
- Per Microsoft's guidance in KB935834, set the group policies to configure LDAP server signing requirements to 'None'
ADDITIONAL INFORMATION
id88530,