This page serves as a record for eliminating the use of unsigned protocols or plaint text LDAP from macOS computers bound to an Active Directory domain.
Updates
2020-03-07:
On Wednesday March 3, WSG updated the domain controller certificates to meet the Catalina certificate requirements. We have verified that the client now binds successfully.
2020-02-26:
Issues separate into two forks.
- Catalina fails to bind to AD.UCI.EDU using the `ssl` directive.
- Apple states they can bind Catalina via the `ssl` directive.
- Catalina tightened requirements for trusted certificates. (see References)
- Desktop/WSG are evaluating the certificate status on the DCs.
- Asked Apple for assistance on definitively demonstrating that Catalina refuses to trust the DC certificates.
- Command line utilities `dscl` and `eccl` make queries using 389/GSSAPI, regardless of `ssl` directive.
- Apple confirms they can successfully make `dscl` queries in an ssl configuration, but they do not use SSL.
- Asked Apple to investigate whether the underlying AppleLDAP framework may be a point of error.
- Apple confirms they can successfully make `dscl` queries in an ssl configuration, but they do not use SSL.
Apple confirms that using the `require` directives, macOS still generates the nonfatal 2995 error events.
2020-02-05:
Filed with Apple as:
- AppleCare Enterprise 101019106553
- Feedback FB7565297
References
- Microsoft
- ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
- 2020 LDAP channel binding and LDAP signing requirement for Windows
- LDAP Channel Binding and LDAP Signing Requirements
- An update is available that changes client bind type information in Event ID 2889 in Windows Server 2008 R2
- Joe Schiffman's solution guide
- Bind Mac OS to Active Directory over SSL (UCI only)
- Apple
Text of EventCode 2889
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Text of Client Bind Type
A value of 1 indicates a simple bind, and a value of 0 indicates an unsigned bind.
Splunk Searches
EventCode 2889
index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"
EventCode 2889, exposing Binding Type
index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"| rex field=_raw "(?ms)Binding\s+Type:\s+(?<typeBind>\d)"| table _time, host, EventCode, ClientIdentity, ClientIPAddress, typeBind
Truth Tables
| Build notes | Bind Method / Configuration | packetsign | packetencrypt | AD Certificate | LoginWindow | EC | dscl | eccl | Notes | |
|---|---|---|---|---|---|---|---|---|---|---|
| 10.14.6 MacBook Air (Early 2013) | USB installer Setup Assistant by hand | BigFix/dsconfigad | ||||||||
|
|
| allow | allow | N | AD\atl-mba-1014$ 2889 typebind=0 | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | |
| require | allow | N | AD\atl-mba-1014$ | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | ||||
| allow | require | N | AD\atl-mba-1014$ 2889 typebind=0 | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | ||||
| require | require | N | AD\atl-mba-1014$ 2889 typebind=0 | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | ||||
| allow | allow | Y | AD\atl-mba-1014$ 2889 typebind=0 | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | ||||
| allow | ssl | Y | (none) | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | dscl does not observe bind configuration. MS ATP warning - DC offered RC4 for Kerberos negotiation. | |||
| require | ssl | Y | (none) | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | MS ATP warning - DC offeredc RC4 for Kerberos negotiation. | |||
| allow | allow | N | AD\atl-mba-1014$ 2889 typebind=0 | 2.0.5 | AD\atlauren 2889 typebind=0 | AD\atlauren 2889 typebind=0 | eccl does not respect bind configuration. | |||
| require | allow | N | AD\atl-mba-1014$ 2889 typebind=0 | 2.0.5 | AD\atlauren 2889 typebind=0 | AD\atlauren 2889 typebind=0 | ||||
| allow | require | N | AD\atl-mba-1014$ 2889 typebind=0 | 2.0.5 | AD\atlauren 2889 typebind=0 | AD\atlauren 2889 typebind=0 | ||||
| require | require | N | AD\atl-mba-1014$ 2889 typebind=0 | 2.0.5 | AD\atlauren 2889 typebind=0 | AD\atlauren 2889 typebind=0 | ||||
| allow | allow | Y | AD\atl-mba-1014$ 2889 typebind=0 | 2.0.5 | AD\atlauren 2889 typebind=0 | AD\atlauren 2889 typebind=0 | ||||
| allow | ssl | Y | (none) | 2.0.5 | AD\atlauren 2889 typebind=0 | AD\atlauren 2889 typebind=0 | (MS ATP warning - DC offered RC4 for Kerberos negotiation.) | |||
| require | ssl | Y | (none) | 2.0.5 | AD\atlauren 2889 typebind=0 | AD\atlauren 2889 typebind=0 | (MS ATP warning - DC offered requested RC4 for Kerberos negotiation.) | |||
10.15.x | USB installer | BigFix/dsconfigad | ||||||||
| 10.15.2 | allow | allow | N | AD\atl-mbp-1015$ 2889 typebind=0 | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | |||
| 10.15.2 | require | require | N | AD\atl-mbp-1015$ 2889 typebind=0 | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | |||
| 10.15.2 | require | ssl | Y | 1.8.1 | n/a | dsconfig -add -packetsign=require packetencrypt=ssl fails Must do packetencrypt=require first, then change to packetencrypt=ssl in separate operation. Computer becomes inoperable. Must reinstall. | ||||
| allow | allow | N | AD\atl-mbp-1015$ 2889 typebind=0 | 2.0.5 | AD\atlauren 2889 typebind=0 | AD\atlauren 2889 typebind=0 | dscl does not observe bind configuration. eccl does not respect bind configuration. | |||
| require | require | N | 2.0.5 | not attempted | ||||||
| require | ssl | Y | 2.0.5 | not attempted | ||||||
| 10.15.3 | allow | allow | N | AD\atl-mbp-1015$ 2889 typebind=0 | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | |||
| 10.15.3 | require | require | N | AD\atl-mbp-1015$ 2889 typebind=0 | 1.8.1 | AD\atlauren 2889 typebind=0 | n/a | |||
| 10.15.3 | require | ssl | Y | 1.8.1 | dsconfig -add -packetsign=require packetencrypt=ssl fails Must do packetencrypt=require first, then change to packetencrypt=ssl in separate operation. Computer becomes inoperable. Must reinstall. | |||||
| allow | allow | N | 2.0.5 | not attempted | ||||||
| require | require | N | 2.0.5 | not attempted | ||||||
| require | ssl | Y | 2.0.5 | not attempted |
Wireshark - SASL bind behavior
In observing the behavior of macOS connections, a SASL bind sequence is observed. This sequence is seen when macOS sits at the login screen, or when dscl runs queries. This sequence triggers a 2889 event code.
| Client: LDAP search for base properties of the directory. |  |
| Server: Result indicating that it support SASL GSSAPI bind. |  |
| Client: SASL bindRequest of type GSSAPI, on port 389. |  |
| Server: saslBindInProgress using GSS-API and specifying encryption type. |  |
| Client: SASL bindRequest of type GSSAPI, sending from port 88 (Kerberos). |  |
| Server: saslBindInProgress using GSS-API and hashes. |  |
| Client: SASL bindRequest of type GSSAPI, declaring credential hash. |  |
| Server: Bind success. |  |
Appendix: Raw text from Fall 2019 testing
Splunk: index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"
ATL-MBP-018
Which Airwatch OU? — macOS standard supported policies
AD record? NOPE reassign profile YEP
EventCode="2889"
events as “AD\oidadder” during machine bind events as “AD\atl-mbp-018$” thereafter, periodically with login events too
create “atlauren” Andrew Fake logout login as “atlauren” local account -> events as machine account login to EC events as “ad\atlauren” EC reconnect events as “ad\atlauren” machine events on logout events from machine and user on login/EC
** move to Airwatch OU Experimental ** AD/Certificate profile lands new events for rebinding as oitadder, machine record in New Computers OU *is a complete rebind* move to OU
EC reconnect no events logout no events reboot events as machine record login atlauren event as atlauren EC reconnect event as atlauren
|
Appendix: DNS notes
Be sure and use AD's DNS servers.