Upcoming Microsoft LDAP Security Update with Sage X3

Author:
Categories: Sage X3
March 11, 2020

A Windows Security Update from Microsoft will be available in March 2020 that will enable LDAP channel binding and LDAP signing hardening for Active Directory. For more information about this update, see the Official Microsoft Announcement.

Sage X3 environments configured to connect to Active Directory with LDAPS for user authentication or synchronization will continue to work normally. However, Sage X3 environments configured to connect to Active Directory with simple LDAP binding will encounter the following error once the security update is in effect:

Connection error: StrongAuthRequiredError: 00002028: LdapErr: DSID-0C090200, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

For supported Sage X3 versions (U9, V11, V12), updating the Sage X3 configuration to use LDAPS instead of LDAP will avoid this error.

Here are the steps to change from LDAP to LDAPS:

    1. Obtain the Active Directory CA Certificate. For example, from the host holding the ADCS role open the Certificates Snap-in in the Microsoft Management Console (MMC), and then export the AD CA certificate from Personal/Certificates of the local computer.
    2. The certificate must be in Base64 format and not contain the private key.
    3. In Sage X3, go to Administration > Administration > Certificates > Certificates of Certification Authorities
    4. Select Actions > New CA Certificate
    5. Enter a name, description and upload the CA certificate exported previously
    6. Select Actions > Save
    7. Go to Administration > Administration > Authentication > LDAP Servers
    8. Click on the connection to edit
    9. Select Actions > Edit
    10. Set the correct protocol (LDAPS) and Port (636 or 3269) in the URL
    11. Click on the looking glass icon under CA Certificates of LDAP server for TLS
    12. Select the CA Certificate created previously, and then click OK
    13. Select Actions > Save
    14. Select Actions > Connection Test, and make sure it says Connection OK

For unsupported Sage X3 versions with LDAPS functionality (between V7P11 and U9), we advise to set up a test environment to check the compatibility of Sage X3 and the new security parameters described in the Microsoft announcement.

Sage X3 versions prior to V7P11 do not support LDAPS. In this case, the only way to keep Sage X3 connected to Active Directory will be to configure the new security parameters described in the Microsoft announcement back to their previous values. This is not recommended and we encourage you to upgrade to a more recent Sage X3 version instead.

If you have any questions on this or would like to discuss the implications for your particular environment, please don’t hesitate to use Basecamp to reach out to the NexTec Sage X3 Support Team or contact your NexTec Project Manager.