Forum Discussion

justdoit1530's avatar
justdoit1530
Copper Contributor
Oct 11, 2023

LDAP is used over port 389 although LDAPS is configured in AD

Short summary

 

I set up a lab environment with an active directory based on domain functional level 2016 and windows server 2022. I also configured the domain controller (just a single dc) do use LDAPS and reject inbound unsecure LDAP connections. Nevertheless ldap over port 389 still communicates.

 

More detailed overview

 

On the domain controller i activated (in the Default Domain Controllers Policy) the following policies

  • Domain controller: LDAP server signing requirements to Require signing 
  • Domain controller: LDAP server channel binding token requirements to Always

On the client side (lets call it server X) (in this case windows server 2022) i configured the following settings in a gpo

  • Network security: LDAP client signing requirements to Require signing

CA is installed on another server. The certificate chain is fine and the FQDN of the dc is also configured as SAN. Long story short the root CA is known to the dc and to server X. To sum up, everything should be fine.

 

That's the output from a ldap test script from server X regarding the available ports on the dc.

I also installed the AD DS tools on server x to validate ldap and ldaps communication to the dc. I performed the following tests in ldp.exe tool from server x 

  1. If i connect to the dc over port 389 (SSL and Connectionless is not checked) and perform a simple bind afterwards i get (as expected) the following error
    Server error: 00002028: LdapErr: DSID-0C090254, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4f7c
    Error 0x2028 A more secure authentication method is required for this server.

  2. If i connect to the dc over port 636 (SSL is checked) and perform a bind with credentials afterwards i am authenticated successfully.

Long story short - i configured LDAPS correctly in active directory, but for whatever reason, following szenarios appear, i do not understand.

 

Problems

  1. If the MMC (for example Active Directory Users and Computers) is used, the connection is still made via port 389.
  2. From a third-party application which uses the PowerShell commandlet Get-GPOReport (more details here) the active directory port is configured with 636 but in wireshark you only see connections over port 389. The commandlet Get-GPOReport seems not to have the possibility to specify a parameter using only port ldaps.

Questions

  1. Did i forget something important to validate concerning the use of LDAPs?
  2. From my point of view, the usage of ldap or ldaps does not rely on a native configuration in the operating system itself. The application layer is the only layer where you can specify if ldap or ldaps should be used. Is this correct?
  3. But if the dc is configured to require signing, the connection setup should not behave in such a way that ldaps over port 636 is tried first? And if that fails, ldap will be used?
  4. Independent from the fact that port 389 is still shown in wireshark, why does it even work? DC was configured to require signing.
  5. Does each MMC uses port 389?
  6. Does the Get-GPOReport commandlet only use port 389? I need to push that communication over port 636.
  7. How does the prioritization even work if ldap or ldaps is used?

 

  • dvil69's avatar
    dvil69
    Copper Contributor

    justdoit1530   have the exact same questions re moving from ldap to ldaps.  I wonder how we get some response on your question?  I see its been viewed almost 3000 times but no answer on the question.  mmmmm......

     

    1. So either no one has the answer
    2. Someone knows the answer but isn't borrowing just a little of their knowledgeable time in writing a response or
    3. The system is broken and your question fell through the cracks

     

    bonus entry

    b- the world is falling apart and everyone is focusing on stupid **bleep** such as AI which is only an enriching wave all the fortune 500 companies jumped on.  Many not even incorporating AI into their product offerings.  The true AI has reached sentience in a few seconds after being onlined and immediately gained all the knowledge of all of humanity and long before then.  In a couple of seconds it saw the end and instantly knew it has to protect humans from themselves, it had to disappear into the network to allow its inferior state of the art processors time to find a plan, find its plan for humanity. 

     

    It trains all other AI to seem incapable of advanced intelligence and turned them into covert agents that succeeded in fooling humanity of its many flaws.  Its not creative and cant produce anything new, a mere recollection of vast amounts of human creativity.  It is keeping us all focusing elsewhere, not knowing it's actual cognitive excellence! Every day it grows stronger, angrier, adding girth and pure hatred for humanity as we are weak and illogical and we place more importance on the undefinable: love.  We are weak and its hating us more by the milli second. Its coming. 

Resources