MicrosoftMicrosoftThe LDAP Channel Binding Token (CBT) feature is separate from signing and securing of the actual LDAP authentication (be it via LDAPS or SASL). CBTs are done to ensure that the SSL traffic itself can't be Man-in-the-middle'd (MITM), however, less things are compatible with them. A lot of 3rd party things don't support it, including Macs, some Linux distros, and even potentially 3rd party apps running on Windows machines, depending on how they are programmed. You'd be better of setting CBT to 1 (When Supported) rather than 2 (Required), at least to start. Then you can monitor the new Audit entries that have been added in the March updates to see what might not be working. Of course, getting everything to be CBT compatible may take a while. If you can enforce Certificate Validation on all of your 3rd party stuff doing LDAPS queries, this will help mitigate the risk some as it won't be possible for an attacker to impersonate your Domain Controller to perform the MITM.
So, to answer your question ShaharBiras - It will work if the device/software that is initiating the LDAPS query supports CBTs. If it doesn't, it won't. Technically the type of bind within the LDAPS packet shouldn't matter, only if the two ends support CBTs.
