topic Active Directory enrollment authentication in Endpoint Security

Active Directory enrollment authentication

Marcel Kamenz — Fri, 02 Aug 2024 06:44:03 GMT

Hi,

I am still confused about the changelog entry of the current agent version 4.2.2.
It says the following:
[Update] Removed support for Active Directory enrollment authentication (local unencrypted LDAP proxy).

Does this mean that the connection to the AD no longer works?
I had opened a ticket and was told that LDAPS (secure) would work. On my test client, however, I don't see a single request going out to the domain controller in Wireshark.

Re: Active Directory enrollment authentication

Marcel Kamenz — Mon, 26 Aug 2024 20:48:25 GMT

Nobody out there using the AD enrollment auth? Any suggestions how to automate the enrollment without this?

Re: Active Directory enrollment authentication

nbv1 — Tue, 27 Aug 2024 22:07:05 GMT

I don't use AD enrollment but, updating your LDAP proxy and/or your AD servers (if they're not already) to use LDAPS is probably the easiest. Especially if you were already using AD authentication. Running it with a certificate and turning on SSL/TLS over port 636 is kind of the basis of that.

If you don't want to bother with that, you can still fully manage devices inside of Systems Manager. Configure your enrollment settings with a certificate authority cert, create automated enrollment profiles, assign profiles to computers or to users you create in Meraki, use tags to manage device and software deployments, and create profiles inside of Meraki and assign those to your tags.

Not sure what your current setup is but, there's a few ways get the end result depending on what you're wanting. Enabling LDAPS sounds like the cleanest option in your case since your basically there already without the encryption.

Re: Active Directory enrollment authentication

Gelo1 — Thu, 19 Sep 2024 16:33:44 GMT

It doesn't mean AD connections no longer work. The update just removed support for unencrypted LDAP. Secure connections via LDAPS should still be fine. If you're not seeing any traffic, maybe double-check the LDAPS configuration or make sure the correct ports are open?

Re: Active Directory enrollment authentication

Marcel Kamenz — Mon, 23 Sep 2024 06:28:16 GMT

Certificate was good hint, I hadn't thought of that. 😵
But sure, it's encrypted -> cert needed.

Test will follow....