Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84611members
353910posts

Active Directory changes in March 2020

EcoStruxure Geo SCADA Expert Forum

Find out how SCADA systems and networks, like EcoStruxure Geo SCADA Expert, help industrial organizations maintaining efficiency, processing data for smarter decision making with IoT, RTU and PLC devices.

Solved
AdamWoodland
Commander Commander
Commander

Active Directory changes in March 2020

Hi ClearSCADA Administrators!

 

See https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

 

Microsoft is fixing a bug in LDAP functionality in Active Directory to block insecure LDAP in March 2020. If you have your ClearSCADA set up to externally authenticate users using just "LDAP" against a domain controller, and not using "LDAP SSL", you may find after this update if applied your ClearSCADA users may not be able to log in. I have a ticket raised with support so someone can hopefully take a closer technical look at the possible impact to ClearSCADA.

 

I strongly recommend you review the Microsoft advisory on how to resolve the issue and refer to websites such as https://evotec.xyz/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020/ to help identify which systems may have an issue (which I am yet to personally test those scripts, use at own risk).

 

 


Accepted Solutions
SGA_Mountford_D
Crewman
Crewman
0 Likes
3
4093

Re: Active Directory changes in March 2020

Hi Adam,

 

Thanks for your post!

 

Was curious what we should actually be checking with our customer ClearSCADA systems?

 

Are servers using LogonUser for external authentication going to be affected?

 

Cheers!

See Answer In Context

BevanWeiss
Spock
Spock
2
4089

Re: Active Directory changes in March 2020

Hey Dave,

 

LogonUser and LDAPS/LDAP SSL won't be affected by this.

It will primarily affect systems which are authenticating against a 'remote' domain, one which the ClearSCADA / Geo SCADA Expert server may actually not be a member of.

 

However.... there have been a few clients that had issues in the early days with LogonUser around domain authentication timeouts.

I think maybe one in the west....  They may still be configured to use LDAP instead of LogonUser.

For almost all customers, it should be possible to just use LogonUser.

 

LDAPS/LDAP SSL is annoying, not just a tick box on Windows AD servers.

 

SI plan would be, for each customer server, check in Server Configuration if it's set to LDAP, if it is, then prepare a testing window to convert it across to LogonUser. Change Standby Server  LDAP->LogonUser, restart, and test a Windows Authentication logon to the Standby server (i.e. Client Connection settings set to prefer Standby).  If it all works, then perform the same on the current Main server.

 

If the system is configured to use LDAP against a remote domain.  Then the hoop jumping to get LDAPS will be required.

Here's a pretty good guide

https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45


Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

See Answer In Context

SGA_Mountford_D
Crewman
Crewman
1
4084

Re: Active Directory changes in March 2020

Thanks Bevan; appreciate the speedy response!

See Answer In Context

6 Replies 6
SGA_Mountford_D
Crewman
Crewman
0 Likes
3
4094

Re: Active Directory changes in March 2020

Hi Adam,

 

Thanks for your post!

 

Was curious what we should actually be checking with our customer ClearSCADA systems?

 

Are servers using LogonUser for external authentication going to be affected?

 

Cheers!

BevanWeiss
Spock
Spock
2
4090

Re: Active Directory changes in March 2020

Hey Dave,

 

LogonUser and LDAPS/LDAP SSL won't be affected by this.

It will primarily affect systems which are authenticating against a 'remote' domain, one which the ClearSCADA / Geo SCADA Expert server may actually not be a member of.

 

However.... there have been a few clients that had issues in the early days with LogonUser around domain authentication timeouts.

I think maybe one in the west....  They may still be configured to use LDAP instead of LogonUser.

For almost all customers, it should be possible to just use LogonUser.

 

LDAPS/LDAP SSL is annoying, not just a tick box on Windows AD servers.

 

SI plan would be, for each customer server, check in Server Configuration if it's set to LDAP, if it is, then prepare a testing window to convert it across to LogonUser. Change Standby Server  LDAP->LogonUser, restart, and test a Windows Authentication logon to the Standby server (i.e. Client Connection settings set to prefer Standby).  If it all works, then perform the same on the current Main server.

 

If the system is configured to use LDAP against a remote domain.  Then the hoop jumping to get LDAPS will be required.

Here's a pretty good guide

https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45


Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..
SGA_Mountford_D
Crewman
Crewman
1
4085

Re: Active Directory changes in March 2020

Thanks Bevan; appreciate the speedy response!

AdamWoodland
Commander Commander
Commander
0
4077

Re: Active Directory changes in March 2020

Yeah, what Bevan said 🙂

 

Regarding validating ClearSCADA (and anything else on the system you may manage) I don't think you should be checking the product as such, you should be checking your domain logs to see what is triggering any entry. That last link has info on what logging you need to set (not enabled by default) and then what to parse in your domain logs to identify sources.

 

For example some network devices, PLCs and RTUs support LDAP authentication and may be affected if not using SSL/TLS.

 

The logging only appears every 24 hours so its a case of set it going and wait a day or two.

Swindel
Cadet
0 Likes
1
2880

Re: Active Directory changes in March 2020

In addition I can say that this type of protection through Active Directory can be further secured by using 2FA through universal protection tokens then adfs sso can be used very conveniently and simply and most importantly reliably. After all, the same Microsoft has support for azure adfs in providing security.

Tags (1)
BevanWeiss
Spock
Spock
0 Likes
0
2873

Re: Active Directory changes in March 2020

@Swindel The idea of MFA via the ADFS mechanism does sound good, although I've never tried this myself.

How does it interact with LDAPS?  Is it possible at all?

Or does it need to utilise the native LogonUser of a Domain Authenticated computer?

 

I've only seen the MFA utilised against a RADIUS configuration, and not LDAP/AD on its own, in this particular context.

I have seen custom GINA setups to enforce an MFA token entry for 'native' AD logon, but this is not something that GeoSCADA supports (since it doesn't support the GINA plugins for the second factor) [as far as I'm aware].


Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..
Tags (1)