Home
%3CLINGO-SUB%20id%3D%22lingo-sub-921536%22%20slang%3D%22en-US%22%3ELDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921536%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EHi%20All%2C%20Alan%20here%20again%2C%20this%20time%20trying%20to%20give%20some%20details%20on%20these%20two%20settings%20that%20will%20become%20active%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Efrom%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3BJanuary%202020%20and%20they%20are%20creating%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Esome%20misunderstandings%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELet%E2%80%99s%20start%20saying%20that%20since%20Windows%20Server%202008%20we%20have%20events%202886%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C2887%2C2888%20and%202889%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Blogged%20every%2024%20hours%20on%20the%20Directory%20Services%20log%20that%20tells%20us%20we%20are%20using%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethese%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eunsecure%20protocols%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogging%20is%20our%20friend%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2886%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ET%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eelling%20us%20that%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eour%20DCs%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eare%20not%20r%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eequir%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eing%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BLDAP%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bsigning%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941829(v%3Dws.10)%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941829(v%3Dws.10)%3Fredirectedfrom%3DMSDN%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2887%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ET%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eelling%20us%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehow%20many%20such%20bind%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Boccurred%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941856(v%3Dws.10)%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941856(v%3Dws.10)%3Fredirectedfrom%3DMSDN%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDuring%20the%20previous%2024%20hour%20period%2C%20some%20clients%20attempted%20to%20perform%20LDAP%20binds%20that%20were%20either%3A%20(1)%20A%20SASL%20(Negotiate%2C%20Kerberos%2C%20NTLM%2C%20or%20Digest)%20LDAP%20bind%20that%20did%20not%20request%20signing%20(integrity%20validation)%2C%20or%20(2)%20A%20LDAP%20simple%20bind%20that%20was%20performed%20on%20a%20cleartext%20(non-SSL%2FTLS-encrypted)%20connection%20This%20directory%20server%20is%20not%20currently%20configured%20to%20reject%20such%20binds.%20The%20security%20of%20this%20directory%20server%20can%20be%20significantly%20enhanced%20by%20configuring%20the%20server%20to%20reject%20such%20binds.%20For%20more%20details%20and%20information%20on%20how%20to%20make%20this%20configuration%20change%20to%20the%20server%2C%20please%20see%E2%80%AF%3C%2FSPAN%3E%3C%2FI%3E%3CA%20href%3D%22http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D87923%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehttp%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D87923%3C%2FSPAN%3E%3C%2FI%3E%3C%2FA%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Summary%20information%20on%20the%20number%20of%20these%20binds%20received%20within%20the%20past%2024%20hours%20is%20below.%20You%20can%20enable%20additional%20logging%20to%20log%20an%20event%20each%20time%20a%20client%20makes%20such%20a%20bind%2C%20including%20information%20on%20which%20client%20made%20the%20bind.%20To%20do%20so%2C%20please%20raise%20the%20setting%20for%20the%20%22LDAP%20Interface%20Events%22%20event%20logging%20category%20to%20level%202%20or%20higher.%20Number%20of%20simple%20binds%20performed%20without%20SSL%2FTLS%3A%20%22Value%22%20Number%20of%20Negotiate%2FKerberos%2FNTLM%2FDigest%20binds%20performed%20without%20signing%3A%20%22Value%22%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20suggested%20path%20to%20resolve%20this%20error%20is%20do%20modify%20the%20registry%20of%20the%20DC%20to%20allow%20it%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elog%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthose%20failures.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERegistry%20to%20add%3A%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3C%2FI%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EReg%20Add%20HKLM%5CSYSTEM%5C%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECurrentControlSet%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6..%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20the%20registry%20key%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2216%20LDAP%20Interface%20Events%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%20configured%20we%20will%20have%20event%202889%20telling%20us%20who%20is%20using%20this%20type%20of%20unsecure%20protocol%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2889%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewill%20tell%20us%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIP%20Address%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bof%20the%20client%20connecting%20with%20this%20type%20of%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eprotocols%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2888%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20the%20directory%20server%20is%20configured%20to%20reject%20unsigned%20SASL%20LDAP%20binds%20or%20LDAP%20simple%20binds%20over%20a%20non-SSL%2FTLS%20connection%2C%20the%20directory%20server%20will%20log%20a%20summary%20event%202888%20one%20time%20every%2024%20hours%20when%20such%20bind%20attempts%20occur.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20we%20know%20who%20is%20using%20these%20types%20of%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EU%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ensecure%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EP%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Erotocols%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwe%20should%20consider%20disabling%20them%20before%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethey%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bwill%20be%20enforced%20by%20January%202020%20updates.%20This%20should%20be%20done%20on%20Client%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20Server%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%20DC%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bside.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20security%20bulletin%20states%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20following%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3ELDAP%20channel%20binding%3C%2FSPAN%3E%3C%2FI%3E%3C%2FA%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFand%E2%80%AF%3C%2FSPAN%3E%3C%2FI%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3ELDAP%20signing%3C%2FSPAN%3E%3C%2FI%3E%3C%2FA%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFprovide%20ways%20to%20increase%20the%20security%20for%20communications%20between%20LDAP%20clients%20and%20Active%20Directory%20domain%20controllers.%20A%20set%20of%20unsafe%20default%20configurations%20for%20LDAP%20channel%20binding%20and%20LDAP%20signing%20exist%20on%20Active%20Directory%20Domain%20Controllers%20that%20let%20LDAP%20clients%20communicate%20with%20them%20without%20enforcing%20LDAP%20channel%20binding%20and%20LDAP%20signing.%20This%20can%20open%20Active%20directory%20domain%20controllers%20to%20elevation%20of%20privilege%20vulnerabilities.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EThis%20advisory%20addresses%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bthe%20issue%20by%20recommending%20a%20new%20set%20of%20safe%20default%20configurations%E2%80%AFfor%20LDAP%20channel%20binding%20and%20LDAP%20signing%20on%20Active%20Directory%20Domain%20Controllers%20that%20supersedes%20the%20original%20unsafe%20configuration.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%3CSTRONG%20class%3D%22%22%3Evalue%3A%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E0%3C%2FSTRONG%3E%26nbsp%3Bindicates%26nbsp%3B%3CEM%20class%3D%22%22%3Edisabled.%26nbsp%3BNo%20channel%20binding%20validation%20is%20performed.%20This%20is%20the%20behavior%20of%20all%20servers%20that%20have%20not%20been%20updated.%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%20class%3D%22%22%3Evalue%3A%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E1%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bindicates%26nbsp%3B%3C%2FSPAN%3E%3CEM%20class%3D%22%22%3Eenabled%3C%2FEM%3E%3CSPAN%3E%2C%20when%20supported%20%5B......%5D%26nbsp%3BThis%20is%20an%20intermediate%20option%20that%20allows%20for%20application%20compatibility.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%3CEM%20class%3D%22%22%3E%3CSTRONG%20class%3D%22%22%3Evalue%3A%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E2%26nbsp%3B%3C%2FSTRONG%3Eindicates%26nbsp%3B%3CEM%3Eenabled%2C%20always%20(All%20clients%20must%20provide%20channel%20binding%20information.%20The%20server%20rejects%20authentication%20requests%20from%20clients%20that%20do%20not%20do%20so)%3C%2FEM%3E%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlso%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EADV190023%20%7C%20Microsoft%20Guidance%20for%20Enabling%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EVery%20important%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20need%20to%20have%20this%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECVE-2017-8563%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Einstalled%20on%20your%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eclients%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eas%20a%20prerequisite%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bbefore%20enabling%20LDAP%20Channel%20Binding%20and%20LDAP%20Integrity%20on%20DCs%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559738%26quot%3B%3A60%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A324%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECVE-2017-8563%20%7C%20Windows%20Elevation%20of%20Privilege%20Vulnerability%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E(REQUIRED)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559738%26quot%3B%3A60%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A324%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EAn%20elevation%20of%20privilege%20vulnerability%20exists%20in%20Microsoft%20Windows%20when%20a%20man-in-the-middle%20attacker%20is%20able%20to%20successfully%20forward%20an%20authentication%20request%20to%20a%20Windows%20LDAP%20server%2C%20such%20as%20a%20system%20running%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20or%20Active%20Directory%20Lightweight%20Directory%20Services%20(AD%20LDS)%2C%20which%20has%20been%20configured%20to%20require%20signing%20or%20sealing%20on%20incoming%20connections.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20update%20addresses%20this%20vulnerability%20by%20incorporating%20support%20for%20Extended%20Protection%20for%20Authentication%20security%20feature%2C%20which%20allows%20the%20LDAP%20server%20to%20detect%20and%20block%20such%20forwarded%20authentication%20requests%20once%20enabled.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMain%20thing%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Epoint%20out%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewhich%20values%20will%20these%20settings%20have%20once%20the%20January%202020%20update%20rolls%20out%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHere%20they%20are%3A%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELDAP%20Channel%20Binding%20%3D%201%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAD%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B-%20HKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CServices%5CNTDS%5CParameters%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EADLDS%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B-%20HKEY_LOCAL_MACHINE%5CSYSTEM%5C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ECurrentControlSet%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5CServices%5C%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CLDS%20instance%3D%22%22%20name%3D%22%22%3E%3C%2FLDS%3E%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5CParameters%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CU%3E%3CSTRONG%3Evalue%3A%3C%2FSTRONG%3E%E2%80%AF%3CSTRONG%3E1%3C%2FSTRONG%3E%3C%2FU%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFindicates%E2%80%AF%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3Eenabled%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20when%20supported.%20All%20clients%20that%20are%20running%20on%20a%20version%20of%20Windows%20that%20has%20been%20updated%20to%20support%20channel%20binding%20tokens%20(CBT)%20must%20provide%20channel%20binding%20information%20to%20the%20server.%20Clients%20that%20are%20running%20a%20version%20of%20Windows%20that%20has%20not%20been%20updated%20to%20support%20CBT%20do%20not%20have%20to%20do%20so.%20This%20is%20an%20intermediate%20option%20that%20allows%20for%20application%20compatibility.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22o%22%20data-font%3D%22Courier%20New%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%222%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELDAP%20Server%20Integrity%20(signing)%20%3D%20enabled%20by%20default%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20want%20to%20note%20that%20this%20article%20shows%20two%20sections%20related%20to%26nbsp%3B%3CU%3Eserver%3C%2FU%3E%20and%20%3CU%3Eclient%2C%3C%2FU%3E%26nbsp%3Bthat%20need%20to%20be%20configured%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20How%20to%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eserver%20LDAP%20signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequirement%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A1440%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A480%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20How%20to%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eclient%20LDAP%20signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequirement%20through%20a%20domain%20Group%20Policy%20Object%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A1440%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A480%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EImportant%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ENotes%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20Before%20you%20enable%20this%20setting%20on%20a%20Domain%20Controller%2C%20clients%20must%20install%20the%20security%20update%20that%20is%20described%20in%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2017-8563%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%20Otherwise%2C%20compatibility%20issues%20may%20arise%2C%20and%20LDAP%20authentication%20requests%20over%20SSL%2FTLS%20that%20previously%20worked%20may%20no%20longer%20work.%20By%20default%2C%20this%20setting%20is%20disabled.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20The%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBindings%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bregistry%20entry%20must%20be%20explicitly%20created.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20LDAP%20server%20responds%20dynamically%20to%20changes%20to%20this%20registry%20entry.%20Therefore%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eyou%20do%20not%20have%20to%20restart%20the%20computer%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bafter%20you%20apply%20the%20registry%20change.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ETo%20maximize%20compatibility%20with%20older%20operating%20system%20versions%20(Windows%20Server%202008%20and%20earlier%20versions)%2C%20we%20recommend%20that%20you%20enable%20this%20setting%20with%20a%20value%20of%E2%80%AF%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E1%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ETo%20explicitly%20disable%20the%20setting%2C%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBinding%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bentry%20to%E2%80%AF%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E0%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AF(zero).%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EWindows%20Server%202008%20and%20older%20systems%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequire%20that%20Microsoft%20Security%20Advisory%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Flibrary%2Fsecurity%2F973811%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E973811%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20available%20in%20%E2%80%9CKB%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F968389%2Fextended-protection-for-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E968389%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFExtended%20Protection%20for%20Authentication%E2%80%9D%2C%20be%20installed%20before%20installing%20CVE-2017-8563.%E2%80%AFIf%20you%20install%E2%80%AFCVE-2017-8563%20without%20KB%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F968389%2Fextended-protection-for-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E968389%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFon%20a%20Domain%20controller%20or%20AD%20LDS%20instance%2C%20all%20LDAPS%20connections%20will%20fail%20with%20LDAP%20error%2081%20-%20LDAP_SERVER_DOWN.%20In%20addition%2C%E2%80%AFwe%20strongly%20recommended%20that%20you%20also%20review%20and%20install%20the%20fixes%20documented%20in%20the%20Known%20Issues%20section%20of%20KB%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F968389%2Fextended-protection-for-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E968389%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESummarizing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESummarizing%20a%20little%20this%20long%20article%20we%20can%20state%20the%20following%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EDirectory%20Services%20Log%20is%20our%20friend%3A%20Event%20IDs%202886%2C2887%2C2888%2C2889%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EOn%20Clients%20we%20need%20to%20have%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bas%20a%20prerequisite%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2017-8563%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%E2%80%9CExtended%20Protection%20for%20Authentication%E2%80%9D%20before%20we%20enable%20LDAP%20CBT%20and%20LDAP%20Signing%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EIf%20we%20don%E2%80%99t%20want%20to%20wait%20for%20the%20January%202020%20update%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnable%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBinding%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3D%201%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnable%20GPO%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ELDAP%20Server%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDC%20%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%20%3D%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BRequire%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EServers%2FClients%20%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirements%20Properties%20%3D%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BRequire%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHope%20this%20helps%20understanding%20how%20these%20settings%20work%20and%20how%20they%20will%20be%20configured%20after%20the%20January%202020%20update%2C%20which%20can%20affect%20your%20LDAP%20Authentication%20if%20you%20don%E2%80%99t%20make%20any%20changes.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERegards%20to%20All%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlan%20%40%20PFE%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-921536%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F146785iAB1D8DD1B1FD285A%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20alt%3D%22Micro%20Services_White.gif%22%20title%3D%22Micro%20Services_White.gif%22%20%2F%3E%3C%2FSPAN%3EUpcoming%20January%202020%20updates%20will%20change%20default%20behavior%20of%20LDAP%20CBT%20and%20Signing%20(integrity).%20Want%20to%20know%20more%3F%20Just%20go%20through%20this%20article.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-921536%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ealanlapietra%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-988523%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-988523%22%20slang%3D%22en-US%22%3ECould%20someone%20PLEASE%20help%20me%20understand%20something%3F%20If%20I%20set%20the%20server%20to%20require%20signing%2C%20but%20a%20client%20is%20offline%20and%20can't%20yet%20get%20the%20client%20gpo%20to%20set%20required%20signing%20-%20how%20in%20the%20world%20can%20it%20talk%20with%20a%20DC%20to%20get%20group%20policy%20to%20get%20the%20right%20setting%3F%20Is%20there%20some%20sort%20of%20special%20logic%20happening%20on%20a%20DC%20that%20allows%20a%20client%20to%20check%2Fupdate%20group%20policy%20even%20if%20it%20isn't%20meeting%20the%20signing%20requirements%3F%3F%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-990210%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-990210%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20happens%20if%20the%20clients%20receive%20the%20January%202020%20update%20before%20the%20domain%20controllers%20do%3F%20In%20other%20words%2C%20the%20DCs%20have%20a%20Registry%20entry%20of%200%20or%20no%20entry%20at%20all.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-991118%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-991118%22%20slang%3D%22en-US%22%3E%3CDIV%3ET%3CFONT%3Ehanks%20for%20this%20clarification!%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAs%20i%20understand%2C%20this%20should%20work%20for%20good%20Compatibility%3A%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EBefore%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Install%20all%20required%20Updates%3CBR%20%2F%3E-%20All%20DCs%3A%20Reg%20Add%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%3CBR%20%2F%3E-%20Group%20Policy%20(Domain%20Level)%3A%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Group%20Policy%20(Domaincontrollers)%3A%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAbout%20Domain%20controller%20signing%3A%3CBR%20%2F%3ENone%3A%20Data%20signing%20is%20not%20required%20in%20order%20to%20bind%20with%20the%20server.%20If%20the%20client%20requests%20data%20signing%2C%20the%20server%20supports%20it.%3CBR%20%2F%3ERequire%20signature%3A%20Unless%20TLS%5CSSL%20is%20being%20used%2C%20the%20LDAP%20data%20signing%20option%20must%20be%20negotiated.%3CBR%20%2F%3ECaution%3CBR%20%2F%3EIf%20you%20set%20the%20server%20to%20Require%20Signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20loss%20of%20connection%20with%20the%20server.%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAfter%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202888%20Events%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EIf%20Problems%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EIf%20all%20should%20be%20good%3A%3CBR%20%2F%3E-%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20LDAP%20Channel%20Binding%20%3D%202%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3E%3CBR%20%2F%3EOther%20suggestions%3F%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992017%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992017%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20(for%20sure)%20if%20there%20will%20be%20the%20option%20to%20keep%20the%20enforcment%20disabled%20after%20the%20January%20patch%3F%3C%2FP%3E%3CP%3EIf%20yes%2C%20then%20please%20provide%20source..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992147%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992147%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Contributor%20lia-component-message-view-widget-author-username%22%3E%40%3CA%20id%3D%22link_26%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365532%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3Eajm-b%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CP%3E%3CSTRONG%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20security%20setting%20determines%20whether%20the%20LDAP%20server%20requires%20signing%20to%20be%20negotiated%20with%20LDAP%20clients%2C%20as%20follows%3A%3C%2FP%3E%0A%3CP%3ENone%3A%20Data%20signing%20is%20not%20required%20in%20order%20to%20bind%20with%20the%20server.%20If%20the%20client%20requests%20data%20signing%2C%20the%20server%20supports%20it.%3CBR%20%2F%3ERequire%20signature%3A%20Unless%20TLS%5CSSL%20is%20being%20used%2C%20the%20LDAP%20data%20signing%20option%20must%20be%20negotiated.%3C%2FP%3E%0A%3CP%3EDefault%3A%20This%20policy%20is%20not%20defined%2C%20which%20has%20the%20same%20effect%20as%20None.%3C%2FP%3E%0A%3CP%3ECaution%3C%2FP%3E%0A%3CP%3EIf%20you%20set%20the%20server%20to%20Require%20Signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20loss%20of%20connection%20with%20the%20server.%3C%2FP%3E%0A%3CP%3ENotes%3C%2FP%3E%0A%3CP%3EThis%20setting%20does%20not%20have%20any%20impact%20on%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL.%20No%20Microsoft%20LDAP%20clients%20that%20are%20shipped%20with%20Windows%20XP%20Professional%20use%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL%20to%20talk%20to%20a%20domain%20controller.%3CBR%20%2F%3EIf%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20LDAP%20simple%20bind%20through%20SSL%20requests%20are%20rejected.%20No%20Microsoft%20LDAP%20clients%20running%20Windows%20XP%20Professional%20or%20the%20Windows%20Server%202003%20family%20use%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL%20to%20bind%20to%20directory%20service%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirements%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20security%20setting%20determines%20the%20level%20of%20data%20signing%20that%20is%20requested%20on%20behalf%20of%20clients%20issuing%20LDAP%20BIND%20requests%2C%20as%20follows%3A%3C%2FP%3E%0A%3CP%3ENone%3A%20The%20LDAP%20BIND%20request%20is%20issued%20with%20the%20options%20that%20are%20specified%20by%20the%20caller.%3CBR%20%2F%3ENegotiate%20signing%3A%20If%20Transport%20Layer%20Security%2FSecure%20Sockets%20Layer%20(TLS%5CSSL)%20has%20not%20been%20started%2C%20the%20LDAP%20BIND%20request%20is%20initiated%20with%20the%20LDAP%20data%20signing%20option%20set%20in%20addition%20to%20the%20options%20specified%20by%20the%20caller.%20If%20TLS%5CSSL%20has%20been%20started%2C%20the%20LDAP%20BIND%20request%20is%20initiated%20with%20the%20options%20that%20are%20specified%20by%20the%20caller.%3CBR%20%2F%3ERequire%20signature%3A%20This%20is%20the%20same%20as%20Negotiate%20signing.%20However%2C%20if%20the%20LDAP%20server's%20intermediate%20saslBindInProgress%20response%20does%20not%20indicate%20that%20LDAP%20traffic%20signing%20is%20required%2C%20the%20caller%20is%20told%20that%20the%20LDAP%20BIND%20command%20request%20failed.%3C%2FP%3E%0A%3CP%3ECaution%3C%2FP%3E%0A%3CP%3EIf%20you%20set%20the%20server%20to%20Require%20signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20a%20loss%20of%20connection%20with%20the%20server.%3C%2FP%3E%0A%3CP%3ENote%3A%20This%20setting%20does%20not%20have%20any%20impact%20on%20ldap_simple_bind%20or%20ldap_simple_bind_s.%20No%20Microsoft%20LDAP%20clients%20that%20are%20shipped%20with%20Windows%20XP%20Professional%20use%20ldap_simple_bind%20or%20ldap_simple_bind_s%20to%20talk%20to%20a%20domain%20controller.%3C%2FP%3E%0A%3CP%3EDefault%3A%20Negotiate%20signing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992173%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992173%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F450058%22%20target%3D%22_blank%22%3E%40harle22%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Enot%20recommended%20but%20you%20could%20revert%20to%20legacy%20values%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992196%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992196%22%20slang%3D%22en-US%22%3E%3CP%3E%40%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CA%20id%3D%22link_30%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449629%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3EGflBE%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3EI%20would%20say%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3E%3CSPAN%3E%3CSTRONG%3EBefore%3C%2FSTRONG%3E%20January%202020%20Update%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Install%20all%20required%20Updates%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20Reg%20Add%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%20%3CFONT%20color%3D%22%23FF0000%22%3E1%3C%2FFONT%3E%20(Before%20Jan%202020%20updates%20this%20setting%20is%200)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Group%20Policy%20(Domain%20Level)%3A%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20%3CFONT%20color%3D%22%23FF0000%22%3ENone%20%3CFONT%20color%3D%22%23000000%22%3E(Before%20Jan%202020%20updates%20this%20setting%20is%20Negotiate%20Signing)%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Group%20Policy%20(Domaincontrollers)%3A%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%3CFONT%3EAfter%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202888%20Events%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%3EIf%20Problems%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%3EIf%20all%20should%20be%20good%3A%3CBR%20%2F%3E-%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20LDAP%20Channel%20Binding%20%3D%202%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992852%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992852%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOkay%20i%20have%20already%20seen%20that%20article%20and%20the%20registry%20values%20to%20accept%20non%20signed%20ldap%20requests.%20But%20to%20me%20it%20was%20not%20definetly%20clear%20if%20this%20option%20will%20still%20be%20available%20after%20the%20January%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20confirm%20that%20it%20will%20be%20possible%20after%20the%20january%20update%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993051%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993051%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F450058%22%20target%3D%22_blank%22%3E%40harle22%3C%2FA%3E%26nbsp%3Bchanges%20can%20be%20reverted%2C%20only%20changing%20default%20values%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993385%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993385%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20article%20and%20the%20conversation%20that%20it%20has%20started%20has%20been%20very%20helpful%2C%20so%20thanks%20for%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFortunately%20I%20have%20a%20copy%20of%20our%20AD%20in%20a%20sandboxed%20environment%20for%20testing.%20The%20downside%20is%20that%20I%20only%20have%20Windows%20Clients%20and%20no%20third%20party%20apps%20to%20test%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20couple%20of%20different%20points%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20In%20the%20test%20environment%2C%20I%20set%20LDAP%20Signing%20to%20be%20enforced%20on%20the%20Client%20side%20across%20the%20domain%20and%20set%20the%20DC%20GPO%20so%20that%20LDAP%20Signing%20is%20not%20required.%20This%20apparently%20did%20not%20cause%20any%20problems.%20It%20seems%20to%20contradict%20this%2C%20unless%20I'm%20misunderstanding%20it%3A%20%22Require%20signature%3A%20This%20is%20the%20same%20as%20Negotiate%20signing.%20However%2C%20if%20the%20LDAP%20server's%20intermediate%20saslBindInProgress%20response%20does%20not%20indicate%20that%20LDAP%20traffic%20signing%20is%20required%2C%20the%20caller%20is%20told%20that%20the%20LDAP%20BIND%20command%20request%20failed.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20This%20concerns%20me%3A%20%22If%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20%3CEM%3E%3CSTRONG%3ELDAP%20simple%20bind%20through%20SSL%3C%2FSTRONG%3E%3C%2FEM%3E%20requests%20are%20rejected.%20%22%20Is%20this%20correct%3F%20If%20so%2C%20we%20can%20forget%20about%203rd%20party%20apps%20that%20need%20to%20use%20AD%20authentication.%20They%20all%20seem%20to%20rely%20on%20simple%20bind%20over%20SSL%20for%20LDAP%20security.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994402%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994402%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2F989e0748-0953-455d-9d37-d08dfbf3998b%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESASL%20Authentication%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CFONT%3EActive%20Directory%20supports%20the%20optional%20use%20of%20integrity%20verification%20or%20encryption%20that%20is%20negotiated%20as%20part%20of%20the%20SASL%20authentication.%3CBR%20%2F%3EWhile%20Active%20Directory%20permits%20SASL%20binds%20to%20be%20performed%20on%20an%20SSL%2FTLS-protected%20connection%2C%20it%20does%20not%20permit%20the%20use%20of%20SASL-layer%20encryption%2Fintegrity%20verification%20mechanisms%20on%20such%20a%20connection.%3CBR%20%2F%3EWhile%20this%20restriction%20is%20present%20in%20Active%20Directory%20on%20Windows%202000%20Server%20operating%20system%20and%20later%2C%20versions%20prior%20to%20Windows%20Server%202008%20operating%20system%20can%20fail%20to%20reject%20an%20LDAP%20bind%3CBR%20%2F%3Ethat%20is%20requesting%20SASL-layer%20encryption%2Fintegrity%20verification%20mechanisms%20when%20that%20bind%20request%20is%20sent%20on%20a%20SSL%2FTLS-protected%20connection.%3C%2FFONT%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994777%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994777%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20confirm%20that%20it%20will%20be%20possible%20after%20the%20january%20update%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.realwebpoint.com%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EReal%20Web%20Point%3C%2FA%3E%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005206%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005206%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20The%20KB%E2%80%AF968389%20link%20doesn't%20work.%20Can%20you%20get%20this%20link%20corrected%20or%20point%20us%20to%20the%20correct%20verbiage%3F%20This%20is%20causing%20quite%20a%20bit%20of%20confusion%20of%20us%20as%20well.%20-Chad%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005748%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005748%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%20sorry%20for%20that!!%3C%2FP%3E%0A%3CP%3E2008%20x64%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D15109%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D15109%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20windows%20update%20catalog%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.catalog.update.microsoft.com%2FHome.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.catalog.update.microsoft.com%2FHome.aspx%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20remember%20that%20Extended%20Support%20for%20%3CSTRONG%3E2008%20R2%20SP1%3C%2FSTRONG%3E%20and%20%3CSTRONG%3E2008%20SP2%3C%2FSTRONG%3E%2C%20will%20end%20on%26nbsp%3B%3CSPAN%3E1%2F14%2F2020%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESearch%20product%20lifecycle%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Flifecycle%2Fsearch%3Falpha%3Dwindows%2520server%25202008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Flifecycle%2Fsearch%3Falpha%3Dwindows%2520server%25202008%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%20%40%26nbsp%3BPFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005752%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005752%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CA%20id%3D%22link_49%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451699%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3E%3C%2FSPAN%3E%3C%2FA%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451699%22%20target%3D%22_blank%22%3E%40amjadalisial%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3E%26nbsp%3B%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3EYes%20it%20will%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006237%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006237%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20Question%20about%20GPO's%20If%20LDAP%20Signing%20Group%20Polices%2FGPO's%20are%20currently%20enforcing%20%22Negotiate%20Signing%22%20for%20both%20Domain%20Controllers%20and%20Client%2FWorkstations.%20The%20January%20update%20would%20have%20no%20impact%20right%3F%20The%20update%20would%20essentially%20set%20it%20in%20the%20registry%20to%20%22Require%20Signing%22%20but%20once%20Group%20Policy%20refreshed%20it%20would%20revert%20back%20to%20what%20is%20set%20in%20Group%20Policy%2FGPO%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1007049%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1007049%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20our%20third%20party%20applications%20and%20our%20OSX%20member%20computers%20that%20use%20LDAP%20over%20SSL%20(port%20636)%2C%20will%20they%20continue%20to%20communicate%20successfully%20with%20the%20domain%20controllers%20set%20to%20Require%20Signing%3F%20It%20sounds%20like%20they%20will%20fail.%20In%20that%20case%20we'll%20never%20be%20able%20to%20set%20it%20to%20Require%20Signing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERelated%2C%20I%20assume%20that%20for%20Channel%20Binding%20as%20long%20as%20we%20leave%20the%20setting%20at%201%2C%20the%20third%20part%20apps%20will%20be%20okay%2C%20since%20that%20is%20leaving%20it%20unenforced.%20Is%20that%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008681%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008681%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%2C%20as%20I%20understand%20it%20%22Require%20Signing%22%20only%20has%20to%20do%20with%20non-TLS%20389%2C%20it%20doesn't%20come%20into%20play%20with%20636%20binds.%20We%20have%20plenty%20of%20macs%20here%20-%20if%20you%20wanna%20hit%20me%20up%20in%20about%20a%20month%20I%20can%20probably%20tell%20you%20how%20it%20went.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008843%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008843%22%20slang%3D%22en-US%22%3E%3CP%3Eajm-b%2C%20yes%20that%20would%20be%20great.%20We'll%20be%20holding%20off%20on%20the%20domain%20controllers%20until%20February%20so%20I'll%20have%20some%20time.%20We%20do%20have%20a%20closed%20off%20test%20network%20and%20we%20may%20be%20able%20to%20test%20some%20Macs%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20too%20much%20about%20Macs%20and%20I'm%20never%20one%20who%20joins%20them%20to%20the%20domain%2C%20but%20I%20had%20been%20under%20the%20impression%20that%20they%20did%20use%20port%20636%20by%20default.%20It%20wasn't%20until%20I%20increased%20the%20LDAP%20logging%20to%20%222%22%20that%20I%20saw%20how%20many%20of%20them%20were%20using%20389.%20I'm%20not%20sure%20why%2C%20but%20you%20may%20want%20to%20do%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20said%2C%20I%20just%20found%20an%20article%20that%20allays%20the%20confusion%20which%20prompted%20me%20to%20ask%20the%20question%20in%20the%20first%20place%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fsetspn.blogspot.com%2F2016%2F09%2Fdomain-controller-ldap-server-signing.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fsetspn.blogspot.com%2F2016%2F09%2Fdomain-controller-ldap-server-signing.html%3C%2FA%3E%3C%2FP%3E%3CP%3EAs%20the%20article%20says%2C%20there%20is%20bad%20wording%20in%20the%20MS%20article%3A%20%22If%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20%3CEM%3E%3CSTRONG%3ELDAP%20simple%20bind%20through%20SSL%3C%2FSTRONG%3E%3C%2FEM%3E%20requests%20are%20rejected.%22%20So%20I%20know%20from%20what%20it%20says%20in%20this%20Blogspot%20post%2C%20that%20LDAP%20over%20SSL%2FTLS%20should%20continue%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1009745%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1009745%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20find%20a%20Mac%20that%20I%20put%20in%20our%20isolated%20test%20network.%20In%20that%20environment%2C%20I%20set%20the%20DC%20GPO%20for%20%22Domain%20Controller%3A%20require%20signing%22%2C%20the%20domain%20GPO%20to%20%22Network%20Client%3A%20require%20signing%22.%20On%20the%20DC%20GPO%20I%20created%20the%20Registry%20entry%20for%20%22%3CFONT%3ELDAP%20Channel%20Binding%20%3D%201%22.%20I%20successfully%20tested%20using%20LDP%20to%20make%20sure%20simple%20binds%20over%20389%20would%20fail%20and%20over%20636%20using%20SSL%20would%20succeed.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EI%20had%20no%20problem%20joining%20the%20Mac%20(Mavericks%2C%20a%20fairly%20old%20OSX%20version)%20to%20the%20domain.%20I%20don't%20see%20an%20option%20for%20using%20secure%20LDAP%20or%20not%2C%20so%20it%20obviously%20used%20secure%20LDAP%20or%20it%20would%20have%20failed.%20Just%20wanted%20to%20get%20this%20out%20there%20for%20anyone%20who%20was%20concerned%20like%20me.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EI%20still%20don't%20understand%20why%20a%20bunch%20of%20Macs%20are%20using%20non%20secure%20LDAP%2C%20but%20that's%20our%20problem%20to%20correct.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hi All, Alan here again, this time trying to give some details on these two settings that will become active from January 2020 and they are creating some misunderstandings. 

Let’s start saying that since Windows Server 2008 we have events 2886,2887,2888 and 2889 logged every 24 hours on the Directory Services log that tells us we are using these unsecure protocols 

Logging is our friend: 

 

2886 Telling us that our DCs are not requiring LDAP signing 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd... 

 

 

2887 Telling us how many such binds occurred 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd... 

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. Summary information on the number of these binds received within the past 24 hours is below. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. Number of simple binds performed without SSL/TLS: "Value" Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: "Value" 

The suggested path to resolve this error is do modify the registry of the DC to allow it log those failures. 

Registry to add: 

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 

………………….. 

Once the registry key "16 LDAP Interface Events" is configured we will have event 2889 telling us who is using this type of unsecure protocol 

 

2889 will tell us the IP Address of the client connecting with this type of protocols 

 

2888 If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24 hours when such bind attempts occur. 

 

Once we know who is using these types of Unsecure Protocols we should consider disabling them before they will be enforced by January 2020 updates. This should be done on Clients, Servers and DCs side. 

The security bulletin states the following: 

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active directory domain controllers to elevation of privilege vulnerabilities. 

This advisory addresses the issue by recommending a new set of safe default configurations for LDAP channel binding and LDAP signing on Active Directory Domain Controllers that supersedes the original unsafe configuration. 

 

https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-e...

value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.

value: 1 indicates enabled, when supported [......] This is an intermediate option that allows for application compatibility.

value: indicates enabled, always (All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so)

 

 

Also ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signinghttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 

Very importantYou need to have this CVE-2017-8563 installed on your clients as a prerequisite before enabling LDAP Channel Binding and LDAP Integrity on DCs 

 

CVE-2017-8563 | Windows Elevation of Privilege Vulnerability (REQUIRED) 

An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully forward an authentication request to a Windows LDAP server, such as a system running Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which has been configured to require signing or sealing on incoming connections. 

The update addresses this vulnerability by incorporating support for Extended Protection for Authentication security feature, which allows the LDAP server to detect and block such forwarded authentication requests once enabled. 

 

Main thing to point out is which values will these settings have once the January 2020 update rolls out.

 

Here they are:  

 

  • LDAP Channel Binding = 1 

AD - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters 

ADLDS - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters 

value:1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility. 

 

  • LDAP Server Integrity (signing) = enabled by default 

https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008 

I want to note that this article shows two sections related to server and client, that need to be configured: 

- How to set the server LDAP signing requirement 

- How to set the client LDAP signing requirement through a domain Group Policy Object 

 

Important Notes  

- Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled. 

- The LdapEnforceChannelBindings registry entry must be explicitly created.  

- LDAP server responds dynamically to changes to this registry entry. Therefore, you do not have to restart the computer after you apply the registry change. 

 
To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1. 
 
To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero). 

Windows Server 2008 and older systems require that Microsoft Security Advisory 973811, available in “KB 968389 Extended Protection for Authentication”, be installed before installing CVE-2017-8563. If you install CVE-2017-8563 without KB 968389 on a Domain controller or AD LDS instance, all LDAPS connections will fail with LDAP error 81 - LDAP_SERVER_DOWN. In addition, we strongly recommended that you also review and install the fixes documented in the Known Issues section of KB 968389. 

 

Summarizing 

Summarizing a little this long article we can state the following: 

  1. Directory Services Log is our friend: Event IDs 2886,2887,2888,2889 
  2. On Clients we need to have as a prerequisite CVE-2017-8563 “Extended Protection for Authentication” before we enable LDAP CBT and LDAP Signing 

If we don’t want to wait for the January 2020 update 

  1. Enable LdapEnforceChannelBinding = 1  
  2. Enable GPO LDAP Server Signing  
    • DC = Domain controller: LDAP server signing requirements = Require Signing 
    • Servers/Clients = Network security: LDAP client signing requirements Properties = Require Signing 

 

Hope this helps understanding how these settings work and how they will be configured after the January 2020 update, which can affect your LDAP Authentication if you don’t make any changes. 

 

 

Regards to All 

 

Alan @ PFE 

20 Comments
Occasional Contributor
Could someone PLEASE help me understand something? If I set the server to require signing, but a client is offline and can't yet get the client gpo to set required signing - how in the world can it talk with a DC to get group policy to get the right setting? Is there some sort of special logic happening on a DC that allows a client to check/update group policy even if it isn't meeting the signing requirements???
Frequent Visitor

What happens if the clients receive the January 2020 update before the domain controllers do? In other words, the DCs have a Registry entry of 0 or no entry at all.

Occasional Visitor
Thanks for this clarification!
As i understand, this should work for good Compatibility:
Before January 2020 Update:
- Install all required Updates
- All DCs: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
- All DCs: Monitor 2887 and 2889 Events
- All DCs: LDAP Channel Binding = 1
- Group Policy (Domain Level): Network security: LDAP client signing requirements: Require
- Group Policy (Domaincontrollers): Domain controller: LDAP server signing requirements: None
About Domain controller signing:
None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.
Caution
If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.
 
After January 2020 Update:
- Domain controller: LDAP server signing requirements: Require (from Update)
- All DCs: LDAP Channel Binding = 1 (from Update)
- All DCs: Monitor 2888 Events
 
If Problems:
- Domain controller: LDAP server signing requirements: None
- All DCs: Monitor 2887 and 2889 Events
 
If all should be good:
- Network security: LDAP client signing requirements: Require
- Domain controller: LDAP server signing requirements: Require
- LDAP Channel Binding = 2

Other suggestions?
Occasional Visitor

Does anyone know (for sure) if there will be the option to keep the enforcment disabled after the January patch?

If yes, then please provide source..

Microsoft
@ajm-b  

Domain controller: LDAP server signing requirements

This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: This policy is not defined, which has the same effect as None.

Caution

If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.

Notes

This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a domain controller.
If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. No Microsoft LDAP clients running Windows XP Professional or the Windows Server 2003 family use LDAP simple bind or LDAP simple bind through SSL to bind to directory service

 

Network security: LDAP client signing requirements

This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows:

None: The LDAP BIND request is issued with the options that are specified by the caller.
Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.
Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.

Caution

If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.

Note: This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller.

Default: Negotiate signing.

Microsoft
Microsoft

@GflBE

I would say

Before January 2020 Update:
- Install all required Updates
- All DCs: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
- All DCs: Monitor 2887 and 2889 Events
- All DCs: LDAP Channel Binding = 1 (Before Jan 2020 updates this setting is 0)
- Group Policy (Domain Level): Network security: LDAP client signing requirements: None (Before Jan 2020 updates this setting is Negotiate Signing)
- Group Policy (Domaincontrollers): Domain controller: LDAP server signing requirements: None

 

After January 2020 Update:
- Domain controller: LDAP server signing requirements: Require (from Update)
- All DCs: LDAP Channel Binding = 1 (from Update)
- All DCs: Monitor 2888 Events
 
If Problems:
- Domain controller: LDAP server signing requirements: None
- All DCs: Monitor 2887 and 2889 Events
 
If all should be good:
- Network security: LDAP client signing requirements: Require
- Domain controller: LDAP server signing requirements: Require
- LDAP Channel Binding = 2
Occasional Visitor

@Alan La Pietra 

Okay i have already seen that article and the registry values to accept non signed ldap requests. But to me it was not definetly clear if this option will still be available after the January update.

 

Can you confirm that it will be possible after the january update?

 

Thanks in advance!

Microsoft

@harle22 changes can be reverted, only changing default values

 

Frequent Visitor

This article and the conversation that it has started has been very helpful, so thanks for that.

 

Fortunately I have a copy of our AD in a sandboxed environment for testing. The downside is that I only have Windows Clients and no third party apps to test there.

 

A couple of different points:

 

- In the test environment, I set LDAP Signing to be enforced on the Client side across the domain and set the DC GPO so that LDAP Signing is not required. This apparently did not cause any problems. It seems to contradict this, unless I'm misunderstanding it: "Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed."

 

- This concerns me: "If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. " Is this correct? If so, we can forget about 3rd party apps that need to use AD authentication. They all seem to rely on simple bind over SSL for LDAP security.

Occasional Visitor

@CFS3RD 

 

SASL Authentication 

 

Active Directory supports the optional use of integrity verification or encryption that is negotiated as part of the SASL authentication.
While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer encryption/integrity verification mechanisms on such a connection.
While this restriction is present in Active Directory on Windows 2000 Server operating system and later, versions prior to Windows Server 2008 operating system can fail to reject an LDAP bind
that is requesting SASL-layer encryption/integrity verification mechanisms when that bind request is sent on a SSL/TLS-protected connection.

Occasional Visitor

Can you confirm that it will be possible after the january update?

Real Web Point

Thanks in advance!

Regular Visitor
@Alan La Pietra The KB 968389 link doesn't work. Can you get this link corrected or point us to the correct verbiage? This is causing quite a bit of confusion of us as well. -Chad
Microsoft

@ChadWst sorry for that!!

2008 x64: https://www.microsoft.com/en-us/download/details.aspx?id=15109 

Check windows update catalog here: https://www.catalog.update.microsoft.com/Home.aspx

 

Also remember that Extended Support for 2008 R2 SP1 and 2008 SP2, will end on 1/14/2020

Search product lifecycle: https://support.microsoft.com/en-us/lifecycle/search?alpha=windows%20server%202008

 

Regards

 

Alan @ PFE

Microsoft
 
 
 
   
Yes it will

 

Regular Visitor
@Alan La Pietra -- Question about GPO's If LDAP Signing Group Polices/GPO's are currently enforcing "Negotiate Signing" for both Domain Controllers and Client/Workstations. The January update would have no impact right? The update would essentially set it in the registry to "Require Signing" but once Group Policy refreshed it would revert back to what is set in Group Policy/GPO?
Frequent Visitor

For our third party applications and our OSX member computers that use LDAP over SSL (port 636), will they continue to communicate successfully with the domain controllers set to Require Signing? It sounds like they will fail. In that case we'll never be able to set it to Require Signing.

 

Related, I assume that for Channel Binding as long as we leave the setting at 1, the third part apps will be okay, since that is leaving it unenforced. Is that correct?

Occasional Contributor
@CFS3RD, as I understand it "Require Signing" only has to do with non-TLS 389, it doesn't come into play with 636 binds. We have plenty of macs here - if you wanna hit me up in about a month I can probably tell you how it went.
Frequent Visitor

ajm-b, yes that would be great. We'll be holding off on the domain controllers until February so I'll have some time. We do have a closed off test network and we may be able to test some Macs there.

 

I don't know too much about Macs and I'm never one who joins them to the domain, but I had been under the impression that they did use port 636 by default. It wasn't until I increased the LDAP logging to "2" that I saw how many of them were using 389. I'm not sure why, but you may want to do the same.

 

That said, I just found an article that allays the confusion which prompted me to ask the question in the first place:

http://setspn.blogspot.com/2016/09/domain-controller-ldap-server-signing.html

As the article says, there is bad wording in the MS article: "If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected." So I know from what it says in this Blogspot post, that LDAP over SSL/TLS should continue to work.

 

Frequent Visitor

I was able to find a Mac that I put in our isolated test network. In that environment, I set the DC GPO for "Domain Controller: require signing", the domain GPO to "Network Client: require signing". On the DC GPO I created the Registry entry for "LDAP Channel Binding = 1". I successfully tested using LDP to make sure simple binds over 389 would fail and over 636 using SSL would succeed.

 

I had no problem joining the Mac (Mavericks, a fairly old OSX version) to the domain. I don't see an option for using secure LDAP or not, so it obviously used secure LDAP or it would have failed. Just wanted to get this out there for anyone who was concerned like me.

 

I still don't understand why a bunch of Macs are using non secure LDAP, but that's our problem to correct.