Citrix ADC, LDAP Test Fails

After Citrix implemented the security of ns.conf with the KEK keys I have notices that the “Test Network connectivity” through an error in the GUI:

Well, how do we the test the LDAP configuration and connection?

This can be done by the CLI, in shell mode 😊

From the shell mode you can run the following command to test the LDAP configuration:

ldapsearch -b “DC=contoso,DC=com” -D “user1@contoso.com” -h -p 389 -w “Password1”

If your username and password are not valid you will get something like this:

If there are connection to a Domain Controller and username and password are valid you will receive information of the users in the Active Directory.

So, we can use the CLI shell mode to test the LDAP connection and validate the username and password. But there is one problem. To test we need to type the password in clear text. In my blog “NetScaler CLI, Watch Out” I wrote about the “history” of the CLI commands and that password in clear text are stored until the Citrix ADC is rebooted.

We have the same problem when we test the LDAP connection when using CLI in shell mode. If I run the “history” command I get this:

It is therefore my recommendation that you create a temporary user account on the Citrix ADC. Then run the command to test the LDAP. And finally remove the temporary user account.

By doing this the password for the LDAP users can not be accessed through the “history” command.

Citrix ADC, Secure LDAP, Updated

Microsoft has announced that from Marts 2020, only secure LDAP request are supported: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

From the article:

LDAP channel binding and LDAP signing provide ways to increase the security of network communications between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. There is a vulerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities.  Microsoft Security Advisory ADV190023 address the issue by recommending the administrators enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers. This hardening must be done manually until the release of the security update that will enable these settings by default. 

Microsoft intends to release a security update on Windows Update to enable LDAP channel binding and LDAP signing hardening changes and anticipate this update will be available in March 2020.

And why is this important for the Citrix ADC. Well that is because that we can use 3 mode of LDAP communications on the Citrix ADC:

  • TLS:
  • SSL:

If your configuration uses PLANTEXT, that it will stop working after marts, if you patch your Windows Domain Controllers, and who don’t do that.

Get out there and check your configuration and change it if you are using PLAINTEXT.

Powered by WordPress & Theme by Anders Norén