This article describes how to enable LDAP signing in Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows 10.<\/p>\n\n\n\n
Applies to:<\/em>\u00a0\u00a0 Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10 – all editions You can significantly improve the security of a directory server by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification), or to reject LDAP simple binds that are performed on a clear text (non-SSL\/TLS-encrypted) connection. SASL binds may include protocols such as Negotiate, Kerberos, NTLM, and Digest.<\/p>\n\n\n\n Unsigned network traffic is susceptible to replay attacks. In such attacks, an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle (MIM) attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n After you make this configuration change, clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL\/TLS connection stop working. To help identify these clients, the directory server of Active Directory Domain Services (AD DS) or Lightweight Directory Server (LDS) logs a summary Event ID 2887 one time every 24 hours to indicate how many such binds occurred. We recommend that you configure these clients not to use such binds. After no such events are observed for an extended period, we recommend that you configure the server to reject such binds.<\/p>\n\n\n\n If you must have more information to identify such clients, you can configure the directory server to provide more detailed logs. This additional logging will log an Event ID 2889 when a client tries to make an unsigned LDAP bind. The log entry displays the IP address of the client and the identity that the client tried to use to authenticate. You can enable this additional logging by setting the 16 LDAP Interface Events<\/strong> diagnostic setting to 2 (Basic)<\/strong>. For more information about how to change the diagnostic settings, see How to configure Active Directory and LDS diagnostic event logging<\/a>.<\/p>\n\n\n\n If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL\/TLS connection, the directory server logs a summary Event ID 2888 one time every 24 hours when such bind attempts occur.<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n For information about possible affects of changing security settings, see Client, service, and program issues can occur if you change security settings and user rights assignments<\/a>.<\/p>\n\n\n\n Note<\/p>\n\n\n\n Logging anomaly of Event ID 2889<\/p>\n\n\n\n Applications that use third-party LDAP clients may cause Windows to generate incorrect Event ID 2889 entries. This occurs when you log of LDAP interface events and if This happens when LDAP clients use only sealing together with SASL. We have seen this in the field in association with third-party LDAP clients.<\/p>\n\n\n\n When a connection does not use both signing and sealing, the connection security requirements check uses the flags correctly and disconnect. The check generates Error 8232 (ERROR_DS_STRONG_AUTH_REQUIRED).<\/a><\/p>\n\n\n\n <\/a><\/p>\n\n\n\n <\/a><\/p>\n\n\n\n <\/a><\/p>\n\n\n\n Important<\/p>\n\n\n\n Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration<\/a> in case problems occur.<\/p>\n\n\n\n By default, for Active Directory Lightweight Directory Services (AD LDS), the registry key is not available. Therefore, you must create a HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<InstanceName><\/em>\\Parameters<\/p>\n\n\n\n Note<\/p>\n\n\n\n The placeholder <InstanceName> represents the name of the AD LDS instance that you want to change.<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n <\/a><\/p>\n\n\n\n Ref: https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/windows-server\/identity\/enable-ldap-signing-in-windows-server<\/p>\n","protected":false},"excerpt":{"rendered":" This article describes how to enable LDAP signing in Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows 10. Applies to:\u00a0\u00a0 Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10 – all editionsOriginal KB number:\u00a0\u00a0 935834 Summary You can significantly improve the security of a directory server by configuring Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10,15],"tags":[1621,1620],"class_list":["post-4795","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-windows-servers","tag-enable-ldap-signing","tag-enable-ldap-signing-in-windows-server"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4795"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4795\/revisions"}],"predecessor-version":[{"id":4796,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4795\/revisions\/4796"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Original KB number:<\/em>\u00a0\u00a0 935834<\/a><\/p>\n\n\n\nSummary<\/h2>\n\n\n\n
How to discover clients that do not use the Require signing option<\/h2>\n\n\n\n
How to configure the directory to require LDAP server signing for AD DS<\/h2>\n\n\n\n
LDAPServerIntegrity<\/code> is equal to 2<\/strong>. The use of sealing (encryption) satisfies the protection against the MIM attack, but Windows logs Event ID 2889 anyway.<\/p>\n\n\n\nUsing Group Policy<\/a><\/h3>\n\n\n\n
How to set the server LDAP signing requirement<\/h4>\n\n\n\n
How to set the client LDAP signing requirement by using local computer policy<\/h4>\n\n\n\n
How to set the client LDAP signing requirement by using a domain Group Policy Object<\/h4>\n\n\n\n
How to set the client LDAP signing requirement by using registry keys<\/h4>\n\n\n\n
LDAPServerIntegrity<\/code> registry entry of the REG_DWORD type under the following registry subkey:<\/p>\n\n\n\nHow to verify configuration changes<\/h4>\n\n\n\n
References<\/h2>\n\n\n\n