This page serves as a record for eliminating the use of unsigned protocols or plaint text LDAP from macOS computers bound to an Active Directory domain.
...
- Catalina fails to bind to AD.UCI.EDU using the `ssl` directive.
- Apple states they can bind Catalina via the `ssl` directive.
- Catalina tightened requirements for trusted certificates. (see References)
- Desktop/WSG are evaluating the certificate status on the DCs.
- Asked Apple for assistance on definitively demonstrating that Catalina refuses to trust the DC certificates.
- Command line utilities `dscl` and `eccl` make queries using 389/GSSAPI, regardless of `ssl` directive.
- Apple confirms they can successfully make `dscl` queries in an ssl configuration, but they do not use SSL.
- Asked Apple to investigate whether the underlying AppleLDAP framework may be a point of error.
- Apple confirms they can successfully make `dscl` queries in an ssl configuration, but they do not use SSL.
Apple confirms that using the `require` directives, macOS still generates the nonfatal 2995 error events.
2020-02-05:
Filed with Apple as:
- AppleCare Enterprise 101019106553
- Feedback FB7565297
References
- Microsoft
- ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
- 2020 LDAP channel binding and LDAP signing requirement for Windows
- LDAP Channel Binding and LDAP Signing Requirements
- An update is available that changes client bind type information in Event ID 2889 in Windows Server 2008 R2
- Joe Schiffman's solution guide
- Bind Mac OS to Active Directory over SSL (UCI only)
- Apple
...