Microsoft security advisory ADV190023SummaryIn August 2019, Microsoft published security advisory ADV190023: Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing In the advisory, Microsoft recommends Active Directory (AD) LDAP users to require *SASL simple binds* to use signing, and *non-SASL simple binds* to go over SSL/TLS. ServiceNow customers who integrate their AD services with the ServiceNow platform are affected by the advisory since this integration uses *non-SASL simple binds*. InstructionsTo implement the advisory, the customer first needs to enable LDAP over SSL/TLS (LDAPS) on the AD side. On the ServiceNow side, in the LDAP server configuration, the protocol part of the URL must be changed from ldap:// to ldaps:// If the SSL certificate on the AD side is public, no additional work is needed. If the SSL certificate on the AD side is not public, the Certificate Authority (CA) certificate used to sign the server's certificate must be imported into the ServiceNow instance, or into MID if the AD server is accessed over MID. Importing the CA into the ServiceNow instance can be done conveniently through the Certificates module. If a MID Server is used, the CA must be added to the trust store of the JRE running MID. Instructions are provided in Add SSL certificates for the MID Server. Please keep in mind, in Madrid and prior the Mid Server download included java inside, thus there is a "jre" folder within the Mid Server directory. This means the path to the "cacert" keystore would be. "<path to the MidServerDirectory>\jre\lib\security\cacerts"