Content Comparison

This page serves as a record for eliminating the use of unsigned protocols or plaint text LDAP from macOS computers bound to an Active Directory domain.

Updates

2020-05-22:

Support engineer has reproduced our testing observations:

I have tested kicking off your dscl & eccl scripts with the EC re-connect sequence, and I'm seeing the client queries over SASL/GSSAPI as you've found.

I have not yet tried this with an alternate script, but I'll test that as soon as possible.

I want to position that it can take time for Product Engineering to evaluate reports like this. I certainly understand the urgency for UCI, so I will contact the assigned engineering team and see if there's any information/data/testing we can do to assist them in this investigation.

I don't think it's necesssary to get remote access to a system at this time, but I will let you know if we need anything else.

2020-05-04:

Further experimentation, and advanced logging, exposed previously unseen patterns in client behavior:

...

2020-02-05:

Filed with Apple as:

• AppleCare Enterprise 101019106553
• Feedback FB7565297
  
  

References

• Microsoft
  • ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
  • 2020 LDAP channel binding and LDAP signing requirement for Windows
  • LDAP Channel Binding and LDAP Signing Requirements
  • An update is available that changes client bind type information in Event ID 2889 in Windows Server 2008 R2
• Joe Schiffman's solution guide
  • Bind Mac OS to Active Directory over SSL (UCI only)
• Apple
  • Configure domain access in Directory Utility on Mac
  • Requirements for trusted certificates in iOS 13 and macOS 10.15

...