Enforcing LDAP Signing breaks ADDS Replication (repadmin.exe)

Hi All,

After months of auditing Event ID 2889 and remediating application simple binds (clear text usernames/passwords over the wire), I was left with only SASL binds (that do not use signing).

I proceeded to set LDAP signing to 'negotiate' as per the GPOs below, and several dozen Microsoft KBs and from the community e.g..

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-signing-in-windows-server

Default Domain Controllers Policy

Domain controller: LDAP server signing requirements: 

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it

Default Domain Policy

Network security: LDAP client signing requirements:

Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.

I still noted 1,000s of Event ID 2889s (0 – SASL Bind that does not use signing), primarily from DCs, and ::1 addresses

I proceeded with enforcing LDAP signing ("Require Signing" for both GPO settings above) and noted:

LDAP authentication was occurring via Kerberos (SASL/SPNEGO) with simple binds blocked as per tracing (and ldp.exe) confirmations:

Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required

Error 0x2028 A more secure authentication method is required for this server.

However, I came to work the next day and performed a manual replication:

Repadmin /Syncall /APeD

LDAP error 8 (Strong Authentication Required) Win32 Err 5.

So I had to revert back to Negotiate.

How can customers enforce LDAP signing if common Microsoft ADDS executables like repadmin.exe  still use Simple Binds?

Any ideas appreciated, thank you in advance.

Steve