Content Comparison

This page serves as a record for eliminating the use of unsigned protocols or plaint text LDAP from macOS computers bound to an Active Directory domain.

Updates

2020-05-22:

Support engineer has reproduced that EC-reconnect sequences use SASL/GSSAPI, and not TLS.

2020-05-04:

Further experimentation, and advanced logging, exposed previously unseen patterns in client behavior:

...

2020-02-05:

Filed with Apple as:

• AppleCare Enterprise 101019106553
• Feedback FB7565297
  
  

References

• Microsoft
  • ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
  • 2020 LDAP channel binding and LDAP signing requirement for Windows
  • LDAP Channel Binding and LDAP Signing Requirements
  • An update is available that changes client bind type information in Event ID 2889 in Windows Server 2008 R2
• Joe Schiffman's solution guide
  • Bind Mac OS to Active Directory over SSL/wiki/spaces/MS/pages/10781696 (UCI only)
• Apple
  • Configure domain access in Directory Utility on Mac
  • Requirements for trusted certificates in iOS 13 and macOS 10.15

...