Switch Mimecast Integration with AD from LDAP to S-LDAP

There was recent advisory from Microsoft about when the default configuration are used, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server

To know more about the advisory, click here

You can switch your LDAP to secure-LDAP to overcome this and dont have to wait until Microsoft resales a patch

Steps to create a self-signed certificate:

  1. Launch Windows Powershell on the domain controller as an administrator.
  2. Generate a self-signed certificate by running the following command:

$DN = “servername.domainname.com”

$newcert=New-SelfSignedCertificate -DnsName $DN -CertStoreLocation cert:/LocalMachine/My;

The $newcert object contains the generated self-signed certificate which is stored on your system certificate store in the CertStoreLocation location.

Steps to Install the Self Signed Certificate to your Active Directory Server which enables LDAPS:

  1. Launch Windows Powershell on the domain controller as an administrator.
  2. Run the following command to install your certificate and configure LDAPS:

Setup MimeCast to use Secure LDAP.

  • Login to https://login-uk.mimecast.com/
  • Launch Administration Console
  • Just above Dashboard, Click on Administration
  • Click Services
  • Click Directory Synchronization
  • Check the box Encrypt Connection
  • Set Encryption Mode “Relaxed”
  • Change the Connection Port 636
  • Click the Test Connection, and you will see the result,

Connection to primary hostname/ip address on port 636:
Checking the IP address 
The IP address has a valid format.
The IP address is public.
Execute the connection with the given parameters:
Active Directory login completed