LDAP Channel Binding and LDAP Signing Requirements for Windows

  • 7024664
  • 03-Jun-2020
  • 09-Jun-2020


Host Access Management and Security Server (MSS)
Reflection for the Web (RWeb) 12.2 and earlier
Microsoft Windows Servers
Lightweight Directory Access Protocol (LDAP)
Port 389/3268
Port 636/3269


Microsoft has issued a Security Advisory (ADV190023) which addresses a vulnerability with the default LDAP configuration in Windows Servers. The advisory recommends changing settings for LDAP channel binding and LDAP signing.

The recommended changes will mitigate an attacker's ability to elevate privileges and create a man-in-the-middle situation.


Follow the Security Advisory's recommended actions: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Micro Focus' Management and Security Server (MSS) already supports these settings. MSS only needs to be configured for LDAPS on port 636 or 3269. It is recommended customers move to LDAPS when possible to avoid potential compatibility issues if Microsoft changes their default properties via a Service Pack or Security Update.


Earlier versions of Windows Servers did not enable sufficient security settings to thwart off this type of attack.


Security Alert

Additional Information

Microsoft has implemented these changes in newer version of their operating systems. They may or may not change the default properties to enable these settings in future Service Packs or Security Updates.