Community
Select to view content in your preferred language

Update to LDAP signing requirements and ArcGIS Enterprise

2338
2
02-07-2020 11:52 AM
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
2 2 2,338
‎02-07-2020 11:52 AM

Users are asking us how ArcGIS Enterprise may be affected by Microsoft blocking unsigned LDAP communication in Active Directory starting in March 2020.

ArcGIS Enterprise itself is not affected by this as long as connections to active directory can be made using LDAPS (port 636). To meet this requirement, be sure that LDAPS is available on your Active Directory servers.

 

However, *if* your organization is using the Java Web adaptor (which itself requires a J2EE server like Tomcat/Glassfish/Weblogic etc) and you’re using web tier authentication and Active Directory, then the J2EE application server must itself be configured to connect to the directory server using LDAPS.

 

Even if ArcGIS Enterprise is configured to use LDAP over plaintext port 389, it will attempt to first connect via LDAPS (port 636) first regardless. Front end application servers are unlikely to follow this pattern and will communicate with the directory server as literally configured.

2 Comments
Thomas_H_Kristensen
by
Emerging Contributor
‎02-18-2020 02:08 AM

ArcGIS Server 10.3 - Does this apply to User store  "Windows Domain" Security also?
We are running with "Windows Domain" settings, however our Windows AD system admins have identified calls from our ArcGIS Server with event id 2889: "The following Client performed a SASL LDAP bind..." Which is affected by the Microsoft security patch

Thanks, 
Thomas

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎02-18-2020 06:56 AM

Thomas:

a. You should start planning an upgrade. 10.3 will be officially retired/unsupported at the end of this year. Esri Support ArcGIS Server 10.7 (10.7.1) . For a number of reasons, I'd strongly recommend an upgrade to 10.8/10.8.1. 

b. This issue specfifically impacts Windows Domains.

c. At a minimum, I'd upgrade to 10.3.1 while you plan for a major upgrade to a newer LTS release and apply this patch for 10.3.1:

ArcGIS Server Security 2018 Update 2 Patch .

The specific fix in this patch you want it:

ENH-000117371 - Add an option to enforce encrypted communication between ArcGIS Server and Active Directory. (10.5.1, 10.4.1, 10.3.1 Only)