Blog Post

Core Infrastructure and Security Blog
8 MIN READ

LDAP Channel Binding and LDAP Signing Requirements - Server 2025 updates

AlanLaPietra's avatar
AlanLaPietra
Icon for Microsoft rankMicrosoft
Nov 04, 2019
This information is preliminary and is subject to revision. This article is a living document, written over time and is subject to change. When guidance presented in this article is in direct confli...
Updated Nov 04, 2025
Version 65.0
alanlapietra
Bobt10's avatar
Bobt10
Copper Contributor
Jan 12, 2020

@Alan La Pietra 

 

Can you please clarify what effect this update will have on Ldap CLIENT signing (LdapClientIntegrity), specifically if it's currently set to negotiate? We are successfully using the following settings without any problems:

  • DCs = policy "Domain controller: LDAP server signing requirements" =Require Signing  (LdapServerIntegrity =2)
  • Servers/Clients = policy "Network security: LDAP client signing requirements = Negotiate Signing  (LdapClientIntegrity = 1)

It seems based on the information provided that the update will only change LdapServerIntegrity and LdapEnforceChannelBinding. But it is still mentioned to change Network security: LDAP client signing requirement to Require Signing. Is this actually necessary since client negotiation (which still provides LDAP signing) is the default anyways on modern Windows versions? Will we see any impact from this update for Windows clients if we keep LDAP server signing to required and LDAP client signing to negotiate?