APM AD auth and LDAP request signing

Question

Microsoft intends to require LDAP singing by default in their upcoming January 2020 server security updates. See https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows. This to mitigate certain LDAP vulnerabilities.In APM, AD Auth uses LDAP SASL GSS-API/Kerberos to implement the user authentication. However it seems that the actual LDAP AS-Requests are not signed (at least in sw 14.1.x), nor there seem to be any option to sign those. This means they can possibly be used for elevation of privilege. Using Kerberos Pre-Auhentication reduces the risk somewhat, but to my understanding, does not remove it fully.For an APM 14.1.2.1 authentication request, the AD logs indicate:The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
&nbsp;
Client IP address:
x.x.x.x:38874
Identity the client attempted to authenticate as:
DOMAINX\svc-f5-account-x
Binding Type:
0Binding type should be "1" to indicate signed request.Is there any way to get the LDAP requests signed? I would not like to go to LDAP Auth using LDAPS as a workaround to enhance security.

dave_w · Answer

Hello, at this point it looks like F5 is recommending to use LDAPS and change AD Query to LDAP Query.

thi · Answer

I think F5 should consider an RFE for LDAP request singing instead of using LDAP Query, as I believe the AD Auth is used in most APM authentication deployments against AD. Using LDAPS query will be a major reconfig in some cases..

dave_w · Answer

I did some checking and it appears there is a doc update RFE. Apparently there has been some testing done with AD Query that was successful, HOWEVER more extensive testing has not been completed so I would not consider this technically supported yet. FYI.

bm99 · Answer

F5 appear to have issued an article on the 8th Jan that appears to state there is no issue. https://support.f5.com/csp/article/K30054212

I really would have expected more detailed information regards to the APM AD and the mechanisms it supports for compliance purposes. Questions are now being asked if data is being passed in the clear. If I can't get more info I am going to have to switch to LDAPS. This was the original recommendation from support at the tail end of 2019 which is worst case. We still have our DC's configured to provide more detailed logs and see the event 2889 as a result of the F5 making an unsigned LDAP bind. Hopefully we will get more information soon, I will also keep chasing my SE for an more definitive answer.

thi · Answer

In November we did some tcpdumps when APM did the AD Auth (14.1.x sw). Using wireshark on the dumps we saw that there were no signing of the LDAP SASL binding requests. ALso the AD event log indicated the same. The K30054212 recommendation "No changes are required for LDAPS or Active Directory AAA servers" may need some more clarification?

Forum Discussion

APM AD auth and LDAP request signing

6 Replies

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

POC: Create and sign a JWT with iRule

Distributed caching of authentication requests with NGINX Ingress Controller

AS3 signed rpms

Logging DNS Requests

Insert Basic Auth Header