Microsoft
MicrosoftHi JerryDevore
Thank you for the interesting blog post. We have an interesting behavior in our environment. We have some applications that do not generate 3074/3075 events when the setting is in "When Supported" mode. After switching to Always mode, we immediately receive 3039 events (NT Authority / Anonymous). I am now wondering why we did not receive any events before or what could be different about some LDAP clients that the domain controllers (W2k22) do not generate 3074/3075 events. This makes troubleshooting a bit difficult if there are other applications with the same behavior.
Daniel
You're not alone here.
Plenty report the same issue: Enforcement Mode is required to get the audit logs needed.
For example here:
https://www.ravenswoodtechnology.com/monitoring-for-ldap-client-security/
Contrary to what many articles, such as this very popular Tech Community article, state about monitoring for clients not using LDAP CBTs, setting Domain controller: LDAP server channel binding token requirements to a value of When Supported isn’t enough.
...
DCs simply won’t log any new events unless the value is configured for Always. Configuring this setting to Always can potentially impact your environment but doing so is the only way to obtain the data you need to remediate.
and here:
https://www.reddit.com/r/sysadmin/comments/1530thg/comment/jsh0wt2/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
I finally was able to get 3039 events logged with the caveat that LdapEnforceChannelBinding must be set to 2 (Always). Still can't get them to work with a value of 1 (When supported), which is certainly not ideal to assess impact before enforcement and risk of breaking something.
I also don't see 3039, 3074, 3075 in a heterogenous enviroment, where I definitely expect to see them.
JerryDevore, any chance MS will release a fix, where we get the events, when Channel Binding is set to "When supported"?
