Blog Post

Core Infrastructure and Security Blog
10 MIN READ

LDAP Channel Binding and LDAP Signing Requirements - March 2020 update final release

AlanLaPietra's avatar
AlanLaPietra
Icon for Microsoft rankMicrosoft
Nov 04, 2019
Hi All, Alan here again, this time trying to give some details on these two settings that are creating quite some confusion.   ATTENTION: before you continue reading I must emphasize that the MAR...
Updated Oct 06, 2023
Version 62.0
alanlapietra
Dewg88's avatar
Dewg88
Copper Contributor
Feb 14, 2020

So I'll start by saying that I've tried reading all the information available on this update since I found out about via Reddit about 3 weeks ago and even with a load of reading it's still feels as clear as mud what will EXACTLY be changing.

 

My understanding so far is:

 

The March 2020 update was GOING to:

  • Enable LDAPChannelBinding by changing the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding to 1
    • Information I found useful about this is https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry
  • Enable LDAPSigning by changing the
    • DomainControllerPolicy setting 'Domain controller: LDAP server signing requirements' to Require Signing - Registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity to 2
    • DefaultDomainPolicy setting 'Network security: LDAP client signing requirements' to Require Signing Registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\Parameters\ldapclientintegrity to 2
    • Information I found useful about this is https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008

Now though that has changed again and nothing will change with existing devices until possibly the 2nd half of the year.

 

To find any devices that are still using an unsupported connection method you can look on the Domain Controllers Event Viewer under 'Directory Service' at event 2887 and this will list the number of connections in the last 24 hours using the unsupported methods. If the event is found you can then can then update HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\16 LDAP Interface Events to a value of 2 and this will log each unsupported connection attempt with more information so it's easier to find the culprits. 

Useful info I found about this is https://docs.microsoft.com/en-gb/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs

Code I found helpful that gets 2887 event info from each DC is here - change the first line to a text file with all your DCs in

$DClist = Get-Content "PATH TO TEXT FILE WITH DC NAMES GOES HERE"
$Hours = 24
$datetime = (Get-Date).tostring('d.M.y-h.m.s')
$creds = Get-Credential


foreach($Computer in $DClist){
    $events = $null
    write-host "Getting events on server $computer"
    $Events = Get-WinEvent -Credential $creds -ComputerName $Computer -FilterHashtable @{Logname='Directory Service';Id=2887; StartTime=(get-date).AddHours("-$Hours")}

    if(!(test-path -Path "C:\Temp\LDAP Bind Info\$datetime")){
        New-Item -Path "C:\Temp\LDAP Bind Info\$datetime" -ItemType Directory
        }
    $events.Message | out-file "C:\Temp\LDAP Bind Info\$datetime\$computer - Event ID 2887.txt"

}

 

 

Is all the above correct? If so then for now there is nothing to worry about but later in the year an update will hit that will change these settings on the DC's and stop the unsupported LDAP connections.

 

I'd like to carry out the hardening work anyway even if the update isn't going to hit but I'm still not sure of the consequences. From what I can understand:

 

  • Enabling LDAPChannelBonding to 'Enabled' (value = 1) will have no impact to clients as it will fall back to supported methods.
    • Enabling LDAPChannelBonding to 'Enabled, always' (value = 2) will break any devices that do not support CBT (Apple MACs seem to be mentioned as not supporting this)
  • Windows Clients default to LDAP Signing 'Negotiate' so as long as a policy isn't setting 'None' anywhere your windows devices will be using signing by default even if the DC is set to none(?)
  • The only setting that could/will break connections seen in the 2887 event is the DC LDAPSigning policy being changed from 'None' to 'Require Signing'

With this, if all LDAP services can be migrated to LDAPS and the 2887 event is no longer listed then enabling the DC LDAP Signing policy to 'Require Signing' will have no effect on current services or devices and will only effect new services brought online that don't use LDAP with signing or LDAPS by default? 

Also we have Apple MACs showing up in the 2887 event but from reading these seem to be set to 'allowed but not required' I've got our MAC specialist to enable signing on the MACs so the 2887 logs are less noisy before I go enabling anything on the DCs.