M-D
-
Posts
3 -
Joined
-
Last visited
Posts posted by M-D
-
-
Hello,
In order to make our network more secure and protect our users as much as possible, we want to move to an environment where all communication with our AD servers to go over SSL/TLS. Our domain controllers dispatch event ID 2887 (https://technet.microsoft.com/en-us/library/dd941856) that complains about computers that aren't using either signed requests or SSL. After enabling the debugging data to the detailed events (event ID 2889 - https://technet.microsoft.com/en-us/library/dd941849) we started fixing the internal services that came up.
ERA is one of the last products I am unable to configure properly however. I cannot find any options in the `Static group synchronization` tasks we have to enable LDAPS. I also tried using a value like 'ldaps://our-ad-server.xxx' (which fails with an error) or specifying the usage of port 636 (which seems to get stuck).
This is the event data from our AD server:
QuoteThe following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.Client IP address:era-server-ip:36446Identity the client attempted to authenticate as:domain-name\era-account-nameBinding Type:0From what I was able to find online, binding type 0 indicates a 'simple' bind, meaning a normal plain-text connection.
This is our server task for synchronizing computers:
Does ERA support this? Or is there an option I'm missing? We're using the virtual appliance:
-
Interested as well, sign me up!
ERA LDAP sync over SSL
in ESET PROTECT On-prem (Remote Management)
Posted
Hey Aleks,
I contacted support, who said 'ESET VA LDAP authentication is done using Kerberos, which is already secure'.
When I pointed out the message from our DCs the only reply I managed to get was that 'it wasn't supported' and that 'it might come in a future version'.
We ended up switching AV, so that 'fixed' the issue for us ;).