MicrosoftMicrosoftHi AlanLaPietra
Just to be clear and hopefully we can clear out the last concerns 🙂
1. If the "Domain Controller: LDAP Server Signing" setting already is set to NONE by the "Default Domain Controllers Policy", how will the GPO settings be interpreted after the March 10, 2020 update is installed?
1.1 Off
1.2 Required
1.3 Or is it still None?
2. By default the LdapEnforceChannelBinding registry settings does not exists in the Domain Controllers registry, then what happens?
2.1. Is it created by the update and set to 0, 1 or 2? (My best guess i no, but not sure)
2.2 Nothing gets changed in registry and clients are refused and we get an LDAP ERROR 81?
2.3 The update for the Domain Controller has a hardcoded LdapEnforceChannelBinding setting with the value og 0, 1 or 2?
These are our major concerns regarding how to interpret the advisory article and other KB articles referred, and my guess is that it also the same concerns if the majority in the Microsoft community.
What is the mitigation plan?
Stand by and be prepared for the worst case (Have procedures on how to change settings), or just preset the registry keys LdapSigningIntegrity = 0 and LdapEnforceChannelBinding = 0 on all our Domain Controllers?
Off course in long term, LDAP Signing and LDAP Channel Binding must be changed to "Required".
Best regards
Simon
