MicrosoftMicrosoftAlanLaPietra- Hey Alan, on the LDAP signing document [1] the following is said about the logging anomaly of event ID 2889:
"""
Applications that use third-party LDAP clients may cause Windows to generate incorrect Event ID 2889 entries. This occurs when you log of LDAP interface events and if LDAPServerIntegrity is equal to 2 . The use of sealing (encryption) satisfies the protection against the MIM attack, but Windows logs Event ID 2889 anyway. This happens when LDAP clients use only sealing together with SASL. We have seen this in the field in association with third-party LDAP clients.
"""
I think the wording is not entirely correct. When I use the following command to only require signing, no event id 2889 is logged:
# ldapsearch -LLLY GSSAPI -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN -O maxssf=1
With the following command an event ID 2889 is still logged though:
# ldapsearch -LLLY GSSAPI -H ldap://ad1.win2016.test -b 'DC=win2016,DC=test' samaccountname=Administrator DN -O maxssf=256
In the latter case I use signing *and* sealing, but in the document it's said the anomaly happens when "only sealing" is used.
