We would like to inform all customers that a Microsoft security update (ADV190023) may cause incompatibility and downtime of services.
All LDAP enabled clients may be affected. This includes DEVELOP customers who have at least either
- one MFP or printer
- one production printing device or
- a software application from DEVELOP in use.
Based on updated information from Microsoft, the security update, which enables LDAP Channel Binding and LDAP Signing on the domain controller, has been rescheduled to the second half of calendar year 2020.
According to Microsoft, Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing.
Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default. However, in all cases, a reconfiguration of the LDAP connection settings on MFPs or software applications may be required.
Potential affected customers, either by manual changed GPOs or after installing the future security update, can either configure the DEVELOP device themselves (further information see below) or get in touch with their local DEVELOP contact who can provide support as an additional service.
Instructions for own configuration:
If you want to ensure a smooth transition, please do not install the software security update prior compatibility confirmation. Why not? By installing the software security update, LDAP channel binding and LDAP signing will be enabled by default, which may affect compatibility of DEVELOP MFPs or printers, production printing devices and software applications, if configured for connecting to a Microsoft Active Directory server by using the LDAP protocol. As a result, LDAP connections, for example, a user authentication request initiated on an MFP, may be refused. Hence, users cannot log in to their devices or application anymore causing service unavailability.
For device configuration by yourself you can do the following:
- Choose LDAPS (LDAP over SSL/TLS) and simple authentication method for Supported External Server Authentication configuration after applying the security update
- Choose LDAPS (LDAP over SSL/TLS) and GSSPNEGO authentication method for Supported LDAP (LDAP-IC card authentication / Simple print authentication / LDAP Address search) configuration after applying the security update
Further information can be obtained from the manual instructions of your DEVELOP device.
For DEVELOP software application, please contact your local DEVELOP contact for detailed instructions.
If you rather want to use DEVELOP support in this, please get in touch with your local DEVELOP contact.
Our service team offers a service to update MFP and application configuration, which can be used prior applying the Microsoft security update and ensure that you have a smooth transition without any downtime which might imperil your daily business work.
Please note that the required configuration changes are not related to a malfunction or failure of our products but are triggered by a change of the Microsoft Active Directory server environment.
For further information about LDAP channel binding and LDAP signing, please refer to the following Microsoft documents