First published on TECHNET on Jun 02, 2011
LDAP over SSL (LDAPS) is becoming an increasingly hot topic - perhaps it is because Event Viewer ID 1220 is catching people's attention in the Directory Service Log or just that people are wanting the client to server LDAP communication encrypted. The quick summary of what this is all about is that when an LDAP client accesses an LDAP server, the information is transferred by default in clear text. The event warns IT Professionals of the potential for communications between clients and servers of being sniffed. Considering this issue, people often wonder if Active Directory replication is done in clear text and that is NOT the case. Active Directory replication uses Kerberos and so do client password changes. Therefore, you need not worry about full database sniffing during replication to a new domain controller or getting passwords when clients are changing their domain passwords. So, only when a client computer is querying an LDAP server [Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS)/Active Directory Application Mode (ADAM)] the network communication is done in clear text unless you implement LDAP over SSL. An article on how to implement LDAP over SSL is posted to the TechNet Wiki and when it is fleshed out to an appropriate degree it will be imported into the TechNet Library (and noted on the TechNet Wiki article).
I've tried to respond to the comment below multiple times, but my replies are not getting posted for some reason. I have already updated the article on the TechNet Wiki to discuss these items, but it makes sense to also address them here briefly.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.