Customers who are using Microsoft Active Directory (AD) as an authentication source for VMware vSphere and other VMware products have been tracking the announcements from Microsoft that the March 2020 Windows Updates would change the default behavior of the Active Directory LDAP services.
We tested vSphere and documented the effects of the changes with a blog post (all links below) that covers the issue and provides some ideas for moving forward. The net result was that vSphere supports both types of bindings by default, “out of the box” and with no changes necessary for vSphere customers.
On February 4, 2020 Microsoft updated their guidance to indicate that the March 2020 Windows Updates WILL NOT change the defaults. Instead, they are changing how the settings are controlled with Group Policy, and will provide additional auditing capabilities. Please review their guidance, linked below.
VMware recommends that data always be encrypted in flight on the network. This is especially true for authentication data, where an attacker could intercept login credentials and use them to breach additional systems. VMware vSphere fully supports encrypted access to Active Directory. Please refer to the vSphere documentation for guidance on configuring those mechanisms.
As always, thank you for being our customers, and a big thank you to all of the folks who provided feedback and community in the initial postings. Please keep following us directly on this blog, on Twitter, and on Facebook.
- VMware vSphere & Microsoft LDAP Channel Binding & Signing (ADV190023) (blogs.vmware.com)
- ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing (portal.msrc.microsoft.com)
- Active Directory LDAP Server and OpenLDAP Server Identity Source Settings (docs.vmware.com)