Microsoft security update may cause downtime
+++ UPDATE MARCH 2020 +++
Finally Microsoft has announced that March 10, 2020 updates, and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.
Nevertheless as it is under the control of the Administrators to configure LDAP Signing and LDAP Channel Binding. In case an Administrator decides to use this security setting the below information will help to cope with such a situation
+++ORIGINAL STATEMENT +++
We would like to inform all customers that a Microsoft security update (ADV190023) may cause incompatibility and downtime of services.
All LDAP enabled clients may be affected. This includes Konica Minolta customers who have at least either
- one MFP or printer
- one production printing device or
- a software application from Konica Minolta in use.
Based on updated information from Microsoft, the security update, which enables LDAP Channel Binding and LDAP Signing on the domain controller, has been rescheduled to the second half of calendar year 2020.
According to Microsoft, Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing.
Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default. However, in all cases, a reconfiguration of the LDAP connection settings on MFPs or software applications may be required.
Potential affected customers, either by manual changed GPOs or after installing the future security update, can either configure the Konica Minolta device themselves (further information see below) or get in touch with their local Konica Minolta contact who can provide support as an additional service.
Instructions for own configuration:
If you want to ensure a smooth transition, please do not install the software security update prior compatibility confirmation. Why not? By installing the software security update, LDAP channel binding and LDAP signing will be enabled by default, which may affect compatibility of Konica Minolta MFPs or printers, production printing devices and software applications, if configured for connecting to a Microsoft Active Directory server by using the LDAP protocol. As a result, LDAP connections, for example, a user authentication request initiated on an MFP, may be refused. Hence, users cannot log in to their devices or application anymore causing service unavailability.
For device configuration by yourself you can do the following:
- Choose LDAPS (LDAP over SSL/TLS) and simple authentication method for Supported External Server Authentication configuration after applying the security update
- Choose LDAPS (LDAP over SSL/TLS) and GSSPNEGO authentication method for Supported LDAP (LDAP-IC card authentication / Simple print authentication / LDAP Address search) configuration after applying the security update
Further information can be obtained from the manual instructions of your Konica Minolta device.
For Konica Minolta software application, please contact your local Konica Minolta contact for detailed instructions.
If you rather want to use Konica Minolta support in this, please get in touch with your local Konica Minolta contact. Our service team offers a service to update MFP and application configuration, which can be used prior applying the Microsoft security update and ensure that you have a smooth transition without any downtime which might imperil your daily business work.
Please note that the required configuration changes are not related to a malfunction or failure of our products but are triggered by a change of the Microsoft Active Directory server environment.
For further information about LDAP channel binding and LDAP signing, please refer to the following Microsoft documents