Sage X3 Tips: The Upcoming Microsoft LDAP Security Update
A Windows security update planned by Microsoft to be available in March 2020 will enable LDAP channel binding and LDAP signing hardening for Active Directory. For more information about this update see the official Microsoft announcement.
Sage X3 environments configured to connect to Active Directory with LDAPS for user authentication or synchronization will continue to work normally.
However Sage X3 environments configured to connect to Active Directory with simple LDAP binding will encounter the following error once the security update is in effect:
'Connection error: StrongAuthRequiredError: 00002028: LdapErr: DSID-0C090200,
comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839'
For supported Sage X3 versions (U9, V11, V12), updating the Sage X3 configuration to use LDAPS instead of LDAP and avoid this error is described below:
- Obtain the Active Directory CA certificate
- For example from the host holding the ADCS role open the ‘Certificates’ snap-in in the Microsoft Management Console (mmc), then export the AD CA certificate from Personal/Certificates of the local computer.
- The certificate must be in base-64 format and not contain the private key.
- In Sage X3 go to ‘Administration > Administration > Certificates > Certificates of Certification Authorities’
- Select ‘Actions > New CA Certificate’
- Enter a name, description and upload the CA certificate exported previously
- Select ‘Actions > Save’
- Go to ‘Administration > Administration > Authentication > LDAP Servers’
- Click on the connection to edit
- Select ‘Actions > Edit’
- Set the correct protocol (ldaps) and port (636 or 3269) in the URL
- Click on the looking glass icon under ‘CA certificates of LDAP server for TLS’
- Select the CA certificate created previously, and then OK
- Select ‘Actions > Save’
- Selecting ‘Actions > Connection test’ should say ‘Connection OK’
For unsupported Sage X3 versions with LDAPS functionality (between V7P11 and U9), we advise to set up a test environment to check the compatibility of Sage X3 and the new security parameters described in the Microsoft announcement.
Sage X3 versions prior to V7P11 do not support LDAPS. In this case the only way to keep Sage X3 connected to Active Directory will be to configure the new security parameters described in the Microsoft announcement back to their previous values. This is not recommended and we encourage you to upgrade to a more recent Sage X3 version instead.
If you have any questions, or if you require assistance, please contact us or call the Net at Work HelpDesk: 888-494-9479.