Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

The impact of 2020 LDAP channel binding and LDAP signing requirement for Windows on Worry-Free Business Security Services (WFBS-SVC)

    • Updated:
    • 9 Mar 2020
    • Product/Version:
    • Worry-Free Business Security Services
    • Platform:
    • N/A
Summary

Microsoft intends to release a security update to enable LDAP channel binding and LDAP signing hardening changes. This update is set to be available on March 10,2020. After the hardening changes, Microsoft Active Directory server will reject LDAP simple binds.

Details
Public

We strongly advise administrators to perform a re-installation of the new Common Active Directory Sync (CADS) agent. Take note that administrators need to uninstall the existing CADS agent first as the new agent installer won’t automatically uninstall the existing one. Below are the detailed steps:

 
  • Regardless if this is a re-installation or a fresh installation, user can only switch to either LDAP or LDAPS support.
  • LDAP is for Lightweight Directory Application Protocol and LDAPS is for Secure LDAP. Setting the LDAPS to 0 supports LDAP and setting LDAPS to 1, support LDAPS. This is done from the ldapSync.ini file
  • The port number in console UI will not work if LDAPS is set to 1 and user needs to change LDAPS port using the same ldapSync.ini file. Kindly refer to steps 4.a and 4.b for more detailed steps.
  • When LDAPS is set to 1, it supports LDAPS and the Server FQDN or IP Address should be input with AD server FQDN (e.g., yourdomain.com) and not the IP address.
 
  1. From Windows Add/Remove Programs, uninstall the existing CADS agent.
  2. After the existing CADS agent is uninstalled, manually delete all folders and files under "C:\Program Files (x86)\Trend Micro\Trend Micro Common AD Service".
  3. From the WFBS-SVC console, download and install the new CADS agent.
  4. After the new CADS Agent is installed, if LDAPS is enabled on Windows AD server, please close CADS Agent and configure the below settings. (Skip this step if LDAPS is disabled, nor CADS will sync fail)

    1. Launch Windows Notepad and open ldapSync.ini under "C:\Program Files (x86)\Trend Micro\Trend Micro Common AD Service\ADSyncAgent". Change “ldaps=0” to “ldaps=1”
    2. For the LDAPS not using standard port (636), please change the port number in “ldaps_port=636” to the used port number.
  5. Launch CADS agent as administrator privilege.
  6. Follow the CADS synchronization tool setting steps on WFBS-SVC console to set new CADS.

The application of the Microsoft’s security update on March 10,2020 may result to old CADS not being able to sync to the Active Directory. Hence, Active Directory Integration feature will fail. It’s recommended to perform a re-installation of the new CADS agent before the Microsoft’s security update is applied. There will be no impact on the client machines since CADS agent is only being installed on the Active Directory server.

For additional references, you may click on the hyperlinks below:

If any compatibility issue is found, administrators will need to contact Technical Support.

Premium
Internal
Partner
Rating:
Category:
Configure; Install
Solution Id:
000246131
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.