Microsoft intends to release a security update to enable LDAP channel binding and LDAP signing hardening changes. This update is set to be available on March 10,2020. After the hardening changes, Microsoft Active Directory server will reject LDAP simple binds.
We strongly advise administrators to perform a re-installation of the new Common Active Directory Sync (CADS) agent. Take note that administrators need to uninstall the existing CADS agent first as the new agent installer won’t automatically uninstall the existing one. Below are the detailed steps:
- Regardless if this is a re-installation or a fresh installation, user can only switch to either LDAP or LDAPS support.
- LDAP is for Lightweight Directory Application Protocol and LDAPS is for Secure LDAP. Setting the LDAPS to 0 supports LDAP and setting LDAPS to 1, support LDAPS. This is done from the ldapSync.ini file
- The port number in console UI will not work if LDAPS is set to 1 and user needs to change LDAPS port using the same ldapSync.ini file. Kindly refer to steps 4.a and 4.b for more detailed steps.
- When LDAPS is set to 1, it supports LDAPS and the Server FQDN or IP Address should be input with AD server FQDN (e.g., yourdomain.com) and not the IP address.
- From Windows Add/Remove Programs, uninstall the existing CADS agent.
- After the existing CADS agent is uninstalled, manually delete all folders and files under "C:\Program Files (x86)\Trend Micro\Trend Micro Common AD Service".
- From the WFBS-SVC console, download and install the new CADS agent.
After the new CADS Agent is installed, if LDAPS is enabled on Windows AD server, please close CADS Agent and configure the below settings. (Skip this step if LDAPS is disabled, nor CADS will sync fail)
- Launch Windows Notepad and open ldapSync.ini under "C:\Program Files (x86)\Trend Micro\Trend Micro Common AD Service\ADSyncAgent". Change “ldaps=0” to “ldaps=1”
- For the LDAPS not using standard port (636), please change the port number in “ldaps_port=636” to the used port number.
- Launch CADS agent as administrator privilege.
- Follow the CADS synchronization tool setting steps on WFBS-SVC console to set new CADS.
The application of the Microsoft’s security update on March 10,2020 may result to old CADS not being able to sync to the Active Directory. Hence, Active Directory Integration feature will fail. It’s recommended to perform a re-installation of the new CADS agent before the Microsoft’s security update is applied. There will be no impact on the client machines since CADS agent is only being installed on the Active Directory server.
For additional references, you may click on the hyperlinks below:
- Configuring Active Directory Integration in Worry-Free Business Security Services (WFBS-SVC)
- Configuring Active Directory Integration
If any compatibility issue is found, administrators will need to contact Technical Support.