- This topic has 1 reply, 1 voice, and was last updated 4 years, 8 months ago by
.
-
Posts
-
I’m sure the Windows admins around here are aware of the changes MS is updating by default in March with regards to disabling simple LDAP binds or unsigned SASL authentication requests. If not, here’s a link:
Now, I have my WTOS environment (mix of 3030s and c10les that are being phased out) set to authenticate users with NTLM, and unfortunately these authentications are being logged on my DCs as event 2889 (The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.)
If signing was enforced right now, these authentication attempts would be failing – and they will fail after March updates unless you purposely override the setting in the registry.
Anyone else using NTLM have a plan of attack? Will there be a WTOS update?
Well, my problem with this was already solved and I didn’t realize it.
The only reason NTLM was enabled was to allow password resets before session connection. But it turns out that with MS Broker configs, if you allow password resets through RDWeb(setting in IIS) it will let you change your windows password through the Wyse terminal.
This had already been set on our RDS brokers and I just didn’t realize it would work with password resets in the Wyse world.
C’est la vie.
- You must be logged in to reply to this topic.