Update (5/13/2020): This post has been updated to reflect current guidance on this topic. More information can be found in the post “vSphere Authentication, Microsoft Active Directory LDAP, and Event ID 2889.“
Customers who are using Microsoft Active Directory (AD) as an authentication source for VMware vSphere and other VMware products have been tracking the announcements from Microsoft that the March 2020 Windows Updates would change the default behavior of the Active Directory LDAP services.
On February 4, 2020 Microsoft updated their guidance to indicate that the March 2020 Windows Updates WILL NOT change the defaults. Instead, they are changing how the settings are controlled with Group Policy, and will provide additional auditing capabilities. Please review their guidance, linked below.
VMware recommends that data always be encrypted in flight on the network. This is especially true for authentication data, where an attacker could intercept login credentials and use them to breach additional systems. VMware vSphere fully supports encrypted access to Active Directory. Please refer to the vSphere documentation for guidance on configuring those mechanisms.
As always, thank you for being our customers, and a big thank you to all of the folks who provided feedback and community in the initial postings. Please keep following us directly on this blog, on Twitter, and on Facebook.
- VMware vSphere & Microsoft LDAP Channel Binding & Signing (ADV190023) (blogs.vmware.com)
- ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing (portal.msrc.microsoft.com)
- Active Directory LDAP Server and OpenLDAP Server Identity Source Settings (docs.vmware.com)