Windchill - Microsoft Active Directory Security Change

Kate Hawkins
Windchill – Microsoft Active Directory Security Change

Microsoft is making a key change to the configuration of its Active Directory component of Microsoft server environments.

The release date for this change has been pushed back from the original March 2020 date.

GPSL is monitoring Microsoft’s release date for this change and will update this document once it is announced. The following describes the potential impact this change will have on your Windchill environment(s). This also includes the steps you can take to avoid Windchill downtime once the Active Directory change has been deployed in your environment.

Why is Windchill Affected?

Only Windchill environments that connect to Active Directory for user authentication may be affected. The new update by Microsoft will create a situation where Windchill’s connection to Active Directory may not be secure enough to connect. This would cause Windchill to stop working and not start until corrective action is taken (see below).

How Do I Know If My Windchill Installation Is Affected?

The Windchill environments that are most likely to be affected are environments that:

  • are running a Microsoft Windows server with Active Directory;
  • have Windchill installed and have an Active Directory (LDAP) configuration via Info*Engine; and
  • do not use TLS 1.2 or greater security.

Your Windchill environment is not affected by this change if you do not use Active Directory to authenticate Windchill users.

Your Windchill environment should not be affected by this change if you have deployed TLS 1.2 in your Windchill environment.

What To Do To Ensure Windchill Does Not Go Down?

There are several options based on certain environmental conditions:

  1. If your network is isolated by firewall, not open to the Internet, and has no specific security requirements, you can potentially undo the Microsoft patch via a couple of documented steps provided by Microsoft.
  2. If your Windchill installation uses unsecured ldap bindings (ldap://), you can upgrade your Windchill installation to the minimum security configuration, TLS 1.2.
  3. If your Windchill environment is using SSL, you can pre-test the patch and see if your environment will be affected, though upgrading to better security, TLS 1.2, is recommended.
  4. If your Windchill installation is already configured for TLS 1.2, you can pre-test the patch and see if any change is needed.

What If I Need Assistance Checking And Preventing Downtime?

GPSL has the following support options available to you:

  • Pre-testing support: GPSL will evaluate and test your environment for the vulnerability
  • Upgrading to TLS and Pre-testing: GPSL will upgrade your environment to TLS 1.2 and test the LDAP connection.
  • Configure Windchill to connect to your Active Directory – GPSL will configure your Windchill to connect to your Active Directory if you do not currently use Active Directory.

More Information

  • The Active Directory change, as noted by Microsoft (ADV190023)
  • The security concern causing the change to Active Directory (CVE-2017-8563)
  • Windchill’s known error for this situation (CS319094)


Relevant Articles