Home
%3CLINGO-SUB%20id%3D%22lingo-sub-988523%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-988523%22%20slang%3D%22en-US%22%3ECould%20someone%20PLEASE%20help%20me%20understand%20something%3F%20If%20I%20set%20the%20server%20to%20require%20signing%2C%20but%20a%20client%20is%20offline%20and%20can't%20yet%20get%20the%20client%20gpo%20to%20set%20required%20signing%20-%20how%20in%20the%20world%20can%20it%20talk%20with%20a%20DC%20to%20get%20group%20policy%20to%20get%20the%20right%20setting%3F%20Is%20there%20some%20sort%20of%20special%20logic%20happening%20on%20a%20DC%20that%20allows%20a%20client%20to%20check%2Fupdate%20group%20policy%20even%20if%20it%20isn't%20meeting%20the%20signing%20requirements%3F%3F%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-990210%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-990210%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20happens%20if%20the%20clients%20receive%20the%20January%202020%20update%20before%20the%20domain%20controllers%20do%3F%20In%20other%20words%2C%20the%20DCs%20have%20a%20Registry%20entry%20of%200%20or%20no%20entry%20at%20all.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-991118%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-991118%22%20slang%3D%22en-US%22%3E%3CDIV%3ET%3CFONT%3Ehanks%20for%20this%20clarification!%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAs%20i%20understand%2C%20this%20should%20work%20for%20good%20Compatibility%3A%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EBefore%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Install%20all%20required%20Updates%3CBR%20%2F%3E-%20All%20DCs%3A%20Reg%20Add%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%3CBR%20%2F%3E-%20Group%20Policy%20(Domain%20Level)%3A%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Group%20Policy%20(Domaincontrollers)%3A%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAbout%20Domain%20controller%20signing%3A%3CBR%20%2F%3ENone%3A%20Data%20signing%20is%20not%20required%20in%20order%20to%20bind%20with%20the%20server.%20If%20the%20client%20requests%20data%20signing%2C%20the%20server%20supports%20it.%3CBR%20%2F%3ERequire%20signature%3A%20Unless%20TLS%5CSSL%20is%20being%20used%2C%20the%20LDAP%20data%20signing%20option%20must%20be%20negotiated.%3CBR%20%2F%3ECaution%3CBR%20%2F%3EIf%20you%20set%20the%20server%20to%20Require%20Signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20loss%20of%20connection%20with%20the%20server.%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAfter%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202888%20Events%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EIf%20Problems%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EIf%20all%20should%20be%20good%3A%3CBR%20%2F%3E-%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20LDAP%20Channel%20Binding%20%3D%202%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3E%3CBR%20%2F%3EOther%20suggestions%3F%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992017%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992017%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20(for%20sure)%20if%20there%20will%20be%20the%20option%20to%20keep%20the%20enforcment%20disabled%20after%20the%20January%20patch%3F%3C%2FP%3E%3CP%3EIf%20yes%2C%20then%20please%20provide%20source..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992147%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992147%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Contributor%20lia-component-message-view-widget-author-username%22%3E%40%3CA%20id%3D%22link_26%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365532%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3Eajm-b%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CP%3E%3CSTRONG%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20security%20setting%20determines%20whether%20the%20LDAP%20server%20requires%20signing%20to%20be%20negotiated%20with%20LDAP%20clients%2C%20as%20follows%3A%3C%2FP%3E%0A%3CP%3ENone%3A%20Data%20signing%20is%20not%20required%20in%20order%20to%20bind%20with%20the%20server.%20If%20the%20client%20requests%20data%20signing%2C%20the%20server%20supports%20it.%3CBR%20%2F%3ERequire%20signature%3A%20Unless%20TLS%5CSSL%20is%20being%20used%2C%20the%20LDAP%20data%20signing%20option%20must%20be%20negotiated.%3C%2FP%3E%0A%3CP%3EDefault%3A%20This%20policy%20is%20not%20defined%2C%20which%20has%20the%20same%20effect%20as%20None.%3C%2FP%3E%0A%3CP%3ECaution%3C%2FP%3E%0A%3CP%3EIf%20you%20set%20the%20server%20to%20Require%20Signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20loss%20of%20connection%20with%20the%20server.%3C%2FP%3E%0A%3CP%3ENotes%3C%2FP%3E%0A%3CP%3EThis%20setting%20does%20not%20have%20any%20impact%20on%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL.%20No%20Microsoft%20LDAP%20clients%20that%20are%20shipped%20with%20Windows%20XP%20Professional%20use%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL%20to%20talk%20to%20a%20domain%20controller.%3CBR%20%2F%3EIf%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20LDAP%20simple%20bind%20through%20SSL%20requests%20are%20rejected.%20No%20Microsoft%20LDAP%20clients%20running%20Windows%20XP%20Professional%20or%20the%20Windows%20Server%202003%20family%20use%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL%20to%20bind%20to%20directory%20service%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirements%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20security%20setting%20determines%20the%20level%20of%20data%20signing%20that%20is%20requested%20on%20behalf%20of%20clients%20issuing%20LDAP%20BIND%20requests%2C%20as%20follows%3A%3C%2FP%3E%0A%3CP%3ENone%3A%20The%20LDAP%20BIND%20request%20is%20issued%20with%20the%20options%20that%20are%20specified%20by%20the%20caller.%3CBR%20%2F%3ENegotiate%20signing%3A%20If%20Transport%20Layer%20Security%2FSecure%20Sockets%20Layer%20(TLS%5CSSL)%20has%20not%20been%20started%2C%20the%20LDAP%20BIND%20request%20is%20initiated%20with%20the%20LDAP%20data%20signing%20option%20set%20in%20addition%20to%20the%20options%20specified%20by%20the%20caller.%20If%20TLS%5CSSL%20has%20been%20started%2C%20the%20LDAP%20BIND%20request%20is%20initiated%20with%20the%20options%20that%20are%20specified%20by%20the%20caller.%3CBR%20%2F%3ERequire%20signature%3A%20This%20is%20the%20same%20as%20Negotiate%20signing.%20However%2C%20if%20the%20LDAP%20server's%20intermediate%20saslBindInProgress%20response%20does%20not%20indicate%20that%20LDAP%20traffic%20signing%20is%20required%2C%20the%20caller%20is%20told%20that%20the%20LDAP%20BIND%20command%20request%20failed.%3C%2FP%3E%0A%3CP%3ECaution%3C%2FP%3E%0A%3CP%3EIf%20you%20set%20the%20server%20to%20Require%20signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20a%20loss%20of%20connection%20with%20the%20server.%3C%2FP%3E%0A%3CP%3ENote%3A%20This%20setting%20does%20not%20have%20any%20impact%20on%20ldap_simple_bind%20or%20ldap_simple_bind_s.%20No%20Microsoft%20LDAP%20clients%20that%20are%20shipped%20with%20Windows%20XP%20Professional%20use%20ldap_simple_bind%20or%20ldap_simple_bind_s%20to%20talk%20to%20a%20domain%20controller.%3C%2FP%3E%0A%3CP%3EDefault%3A%20Negotiate%20signing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992173%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992173%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F450058%22%20target%3D%22_blank%22%3E%40harle22%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Enot%20recommended%20but%20you%20could%20revert%20to%20legacy%20values%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992196%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992196%22%20slang%3D%22en-US%22%3E%3CP%3E%40%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CA%20id%3D%22link_30%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449629%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3EGflBE%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3EI%20would%20say%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3E%3CSPAN%3E%3CSTRONG%3EBefore%3C%2FSTRONG%3E%20January%202020%20Update%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Install%20all%20required%20Updates%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20Reg%20Add%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%20%3CFONT%20color%3D%22%23FF0000%22%3E1%3C%2FFONT%3E%20(Before%20Jan%202020%20updates%20this%20setting%20is%200)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Group%20Policy%20(Domain%20Level)%3A%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20%3CFONT%20color%3D%22%23FF0000%22%3ENone%20%3CFONT%20color%3D%22%23000000%22%3E(Before%20Jan%202020%20updates%20this%20setting%20is%20Negotiate%20Signing)%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Group%20Policy%20(Domaincontrollers)%3A%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%3CFONT%3EAfter%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202888%20Events%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%3EIf%20Problems%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%3EIf%20all%20should%20be%20good%3A%3CBR%20%2F%3E-%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20LDAP%20Channel%20Binding%20%3D%202%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992852%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992852%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOkay%20i%20have%20already%20seen%20that%20article%20and%20the%20registry%20values%20to%20accept%20non%20signed%20ldap%20requests.%20But%20to%20me%20it%20was%20not%20definetly%20clear%20if%20this%20option%20will%20still%20be%20available%20after%20the%20January%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20confirm%20that%20it%20will%20be%20possible%20after%20the%20january%20update%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993051%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993051%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F450058%22%20target%3D%22_blank%22%3E%40harle22%3C%2FA%3E%26nbsp%3Bchanges%20can%20be%20reverted%2C%20only%20changing%20default%20values%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993385%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993385%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20article%20and%20the%20conversation%20that%20it%20has%20started%20has%20been%20very%20helpful%2C%20so%20thanks%20for%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFortunately%20I%20have%20a%20copy%20of%20our%20AD%20in%20a%20sandboxed%20environment%20for%20testing.%20The%20downside%20is%20that%20I%20only%20have%20Windows%20Clients%20and%20no%20third%20party%20apps%20to%20test%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20couple%20of%20different%20points%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20In%20the%20test%20environment%2C%20I%20set%20LDAP%20Signing%20to%20be%20enforced%20on%20the%20Client%20side%20across%20the%20domain%20and%20set%20the%20DC%20GPO%20so%20that%20LDAP%20Signing%20is%20not%20required.%20This%20apparently%20did%20not%20cause%20any%20problems.%20It%20seems%20to%20contradict%20this%2C%20unless%20I'm%20misunderstanding%20it%3A%20%22Require%20signature%3A%20This%20is%20the%20same%20as%20Negotiate%20signing.%20However%2C%20if%20the%20LDAP%20server's%20intermediate%20saslBindInProgress%20response%20does%20not%20indicate%20that%20LDAP%20traffic%20signing%20is%20required%2C%20the%20caller%20is%20told%20that%20the%20LDAP%20BIND%20command%20request%20failed.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20This%20concerns%20me%3A%20%22If%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20%3CEM%3E%3CSTRONG%3ELDAP%20simple%20bind%20through%20SSL%3C%2FSTRONG%3E%3C%2FEM%3E%20requests%20are%20rejected.%20%22%20Is%20this%20correct%3F%20If%20so%2C%20we%20can%20forget%20about%203rd%20party%20apps%20that%20need%20to%20use%20AD%20authentication.%20They%20all%20seem%20to%20rely%20on%20simple%20bind%20over%20SSL%20for%20LDAP%20security.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994402%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994402%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2F989e0748-0953-455d-9d37-d08dfbf3998b%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESASL%20Authentication%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CFONT%3EActive%20Directory%20supports%20the%20optional%20use%20of%20integrity%20verification%20or%20encryption%20that%20is%20negotiated%20as%20part%20of%20the%20SASL%20authentication.%3CBR%20%2F%3EWhile%20Active%20Directory%20permits%20SASL%20binds%20to%20be%20performed%20on%20an%20SSL%2FTLS-protected%20connection%2C%20it%20does%20not%20permit%20the%20use%20of%20SASL-layer%20encryption%2Fintegrity%20verification%20mechanisms%20on%20such%20a%20connection.%3CBR%20%2F%3EWhile%20this%20restriction%20is%20present%20in%20Active%20Directory%20on%20Windows%202000%20Server%20operating%20system%20and%20later%2C%20versions%20prior%20to%20Windows%20Server%202008%20operating%20system%20can%20fail%20to%20reject%20an%20LDAP%20bind%3CBR%20%2F%3Ethat%20is%20requesting%20SASL-layer%20encryption%2Fintegrity%20verification%20mechanisms%20when%20that%20bind%20request%20is%20sent%20on%20a%20SSL%2FTLS-protected%20connection.%3C%2FFONT%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994777%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994777%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20confirm%20that%20it%20will%20be%20possible%20after%20the%20january%20update%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.realwebpoint.com%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EReal%20Web%20Point%3C%2FA%3E%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005206%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005206%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20The%20KB%E2%80%AF968389%20link%20doesn't%20work.%20Can%20you%20get%20this%20link%20corrected%20or%20point%20us%20to%20the%20correct%20verbiage%3F%20This%20is%20causing%20quite%20a%20bit%20of%20confusion%20of%20us%20as%20well.%20-Chad%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005748%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005748%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%20sorry%20for%20that!!%3C%2FP%3E%0A%3CP%3E2008%20x64%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D15109%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D15109%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20windows%20update%20catalog%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.catalog.update.microsoft.com%2FHome.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.catalog.update.microsoft.com%2FHome.aspx%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20remember%20that%20Extended%20Support%20for%20%3CSTRONG%3E2008%20R2%20SP1%3C%2FSTRONG%3E%20and%20%3CSTRONG%3E2008%20SP2%3C%2FSTRONG%3E%2C%20will%20end%20on%26nbsp%3B%3CSPAN%3E1%2F14%2F2020%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESearch%20product%20lifecycle%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Flifecycle%2Fsearch%3Falpha%3Dwindows%2520server%25202008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Flifecycle%2Fsearch%3Falpha%3Dwindows%2520server%25202008%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%20%40%26nbsp%3BPFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005752%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005752%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CA%20id%3D%22link_49%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451699%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3E%3C%2FSPAN%3E%3C%2FA%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451699%22%20target%3D%22_blank%22%3E%40amjadalisial%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3E%26nbsp%3B%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3EYes%20it%20will%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1007049%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1007049%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20our%20third%20party%20applications%20and%20our%20OSX%20member%20computers%20that%20use%20LDAP%20over%20SSL%20(port%20636)%2C%20will%20they%20continue%20to%20communicate%20successfully%20with%20the%20domain%20controllers%20set%20to%20Require%20Signing%3F%20It%20sounds%20like%20they%20will%20fail.%20In%20that%20case%20we'll%20never%20be%20able%20to%20set%20it%20to%20Require%20Signing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERelated%2C%20I%20assume%20that%20for%20Channel%20Binding%20as%20long%20as%20we%20leave%20the%20setting%20at%201%2C%20the%20third%20part%20apps%20will%20be%20okay%2C%20since%20that%20is%20leaving%20it%20unenforced.%20Is%20that%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008681%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008681%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%2C%20as%20I%20understand%20it%20%22Require%20Signing%22%20only%20has%20to%20do%20with%20non-TLS%20389%2C%20it%20doesn't%20come%20into%20play%20with%20636%20binds.%20We%20have%20plenty%20of%20macs%20here%20-%20if%20you%20wanna%20hit%20me%20up%20in%20about%20a%20month%20I%20can%20probably%20tell%20you%20how%20it%20went.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008843%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008843%22%20slang%3D%22en-US%22%3E%3CP%3Eajm-b%2C%20yes%20that%20would%20be%20great.%20We'll%20be%20holding%20off%20on%20the%20domain%20controllers%20until%20February%20so%20I'll%20have%20some%20time.%20We%20do%20have%20a%20closed%20off%20test%20network%20and%20we%20may%20be%20able%20to%20test%20some%20Macs%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20too%20much%20about%20Macs%20and%20I'm%20never%20one%20who%20joins%20them%20to%20the%20domain%2C%20but%20I%20had%20been%20under%20the%20impression%20that%20they%20did%20use%20port%20636%20by%20default.%20It%20wasn't%20until%20I%20increased%20the%20LDAP%20logging%20to%20%222%22%20that%20I%20saw%20how%20many%20of%20them%20were%20using%20389.%20I'm%20not%20sure%20why%2C%20but%20you%20may%20want%20to%20do%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20said%2C%20I%20just%20found%20an%20article%20that%20allays%20the%20confusion%20which%20prompted%20me%20to%20ask%20the%20question%20in%20the%20first%20place%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fsetspn.blogspot.com%2F2016%2F09%2Fdomain-controller-ldap-server-signing.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fsetspn.blogspot.com%2F2016%2F09%2Fdomain-controller-ldap-server-signing.html%3C%2FA%3E%3C%2FP%3E%3CP%3EAs%20the%20article%20says%2C%20there%20is%20bad%20wording%20in%20the%20MS%20article%3A%20%22If%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20%3CEM%3E%3CSTRONG%3ELDAP%20simple%20bind%20through%20SSL%3C%2FSTRONG%3E%3C%2FEM%3E%20requests%20are%20rejected.%22%20So%20I%20know%20from%20what%20it%20says%20in%20this%20Blogspot%20post%2C%20that%20LDAP%20over%20SSL%2FTLS%20should%20continue%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1009745%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1009745%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20find%20a%20Mac%20that%20I%20put%20in%20our%20isolated%20test%20network.%20In%20that%20environment%2C%20I%20set%20the%20DC%20GPO%20for%20%22Domain%20Controller%3A%20require%20signing%22%2C%20the%20domain%20GPO%20to%20%22Network%20Client%3A%20require%20signing%22.%20On%20the%20DC%20GPO%20I%20created%20the%20Registry%20entry%20for%20%22%3CFONT%3ELDAP%20Channel%20Binding%20%3D%201%22.%20I%20successfully%20tested%20using%20LDP%20to%20make%20sure%20simple%20binds%20over%20389%20would%20fail%20and%20over%20636%20using%20SSL%20would%20succeed.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EI%20had%20no%20problem%20joining%20the%20Mac%20(Mavericks%2C%20a%20fairly%20old%20OSX%20version)%20to%20the%20domain.%20I%20don't%20see%20an%20option%20for%20using%20secure%20LDAP%20or%20not%2C%20so%20it%20obviously%20used%20secure%20LDAP%20or%20it%20would%20have%20failed.%20Just%20wanted%20to%20get%20this%20out%20there%20for%20anyone%20who%20was%20concerned%20like%20me.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EI%20still%20don't%20understand%20why%20a%20bunch%20of%20Macs%20are%20using%20non%20secure%20LDAP%2C%20but%20that's%20our%20problem%20to%20correct.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1025248%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1025248%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20ldp.exe%20to%20quickly%20troubleshoot%20difference%20settings.%26nbsp%3B%20It%20helped%20me%20solve%20an%20issue%20with%20a%20Cisco%20appliance%20today.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1028395%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1028395%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExcellent%20article%20-%20thank%20you.%3C%2FP%3E%3CP%3EThis%20may%20be%20asking%20something%20obvious%20but%20do%20the%20updates%20amend%20the%20value%20of%26nbsp%3BDomain%20controller%3A%20LDAP%20server%20signing%20requirements%20in%20the%20Default%20Domain%20Controllers%20Policy%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1028596%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1028596%22%20slang%3D%22en-US%22%3E%3CP%20dir%3D%22rtl%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F466611%22%20target%3D%22_blank%22%3E%40Ricoli610%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ECorrect%3C%2FP%3E%0A%3CP%3ESigning%20Required%3C%2FP%3E%0A%3CP%3ECBT%20%3D%201%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyou%20need%20to%20have%20%22required%22%20on%20both%20Domain%20Controller%20Policy%20and%20Domain%20Policy%20(or%20a%20policy%20that%20will%20apply%20to%20clients%2Fservers).%3C%2FP%3E%0A%3CP%3EUpdate%20will%20default%20to%20ldap%20signing%20required%20on%20DDCP%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%20%40%20PFE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1028636%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1028636%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20I%20have%20a%20question%20related%20to%20the%20CVE-2017-8563%20Would%20it%20be%20safe%20to%20assume%20that%20if%20we%20have%20been%20applying%20the%20Monthly%20Roll-up%20(not%20the%20Security-Only)%20since%20Oct%202016%20to%20all%20of%20our%20systems%2C%20that%20this%20would%20include%20the%20update%20needed%3F%20-Chad%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030270%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40ChadWst%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EI%20assume%20you%20are%20correct%2C%20but%20you%20can%20double%20check%3C%2FP%3E%0A%3CP%3EPlease%20review%20the%20following%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%20%22Windows%2010%20for%2032-bit%20Systems%22%20is%20contained%20in%20July%2011%2C%202017%20-%20KB4025338%3C%2FP%3E%0A%3CTABLE%20class%3D%22table%20table-bordered%20securityguidance-table%20m-y-1%20m-b-2%22%3E%0A%3CTBODY%20class%3D%22ng-scope%20tbody-striped%22%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%221%22%20class%3D%22ng-binding%22%3EWindows%2010%20for%2032-bit%20Systems%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%20class%3D%22ng-binding%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4025338%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4025338%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fcatalog.update.microsoft.com%2Fv7%2Fsite%2FSearch.aspx%3Fq%3DKB4025338%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Update%3C%2FA%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eor%20for%20%22Windows%20Server%202012%20R2%22%20-%26nbsp%3BKB4025333%3C%2FP%3E%0A%3CTABLE%20class%3D%22table%20table-bordered%20securityguidance-table%20m-y-1%20m-b-2%22%3E%0A%3CTBODY%20class%3D%22ng-scope%22%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%222%22%20class%3D%22ng-binding%22%3EWindows%20Server%202012%20R2%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%20class%3D%22ng-binding%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4025336%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4025336%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fcatalog.update.microsoft.com%2Fv7%2Fsite%2FSearch.aspx%3Fq%3DKB4025336%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMonthly%20Rollup%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%20class%3D%22ng-binding%22%3EElevation%20of%20Privilege%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%20class%3D%22ng-binding%22%3EImportant%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%3E%3CDIV%20class%3D%22ng-binding%22%3E4022726%3C%2FDIV%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4025333%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4025333%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fcatalog.update.microsoft.com%2Fv7%2Fsite%2FSearch.aspx%3Fq%3DKB4025333%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Only%3C%2FA%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40%20PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006237%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006237%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E--%20Question%20about%20GPO's%26nbsp%3B%20if%20LDAP%20Signing%20GPO's%20are%20currently%20enforcing%20%22Negotiate%20Signing%22%20for%26nbsp%3B%20Client%2FWorkstations%20and%20LDAP%20Signing%20set%20to%20%22None%22%20for%20Domain%20Controllers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20January%20update%20would%20have%20no%20impact%20right%3F%20The%20update%20would%20essentially%20set%20it%20in%20the%20registry%20to%20%22Require%20Signing%22%20but%20once%20Group%20Policy%20refreshed%20it%20would%20revert%20back%20to%20what%20is%20set%20in%20GPO%20for%20example%20%22Negotiate%22%20for%20Clients%20and%20%22None%22%20for%20Domain%20Controllers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1036751%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1036751%22%20slang%3D%22en-US%22%3E%3CP%3EHorrible%20article...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20the%20update%20involve%20code%20updates%3F%3C%2FP%3E%3CP%3EDoes%20the%20update%20merely%20set%20the%20registry%20keys%3F%3C%2FP%3E%3CP%3EDoes%20the%20update%20update%20a%20GPO%20(you%20allude%20to%20this%20above%20but%20I%20find%20it%20hard%20to%20believe..%20-%20maybe%20I%20deleted%20the%20Default%20Domain%20Controllers%20GPO..%20changed%20its%20scope%E2%80%A6%20the%20patching%20team%20DONT%20have%20access%20to%20modify%20GPOs%20anyway...%20This%20is%20stupid%20on%20so%20many%20levels%20it%20has%20to%20not%20be%20the%20case)%3C%2FP%3E%3CP%3EDoes%20the%20registry%20setting%20set%20by%20the%20patch%20(if%20thats%20all%20it%20does)%20override%20GPO%20registry%20settings%20(assuming%20the%20normal%20'policies'%20folders%20are%20used%20for%20these%20types%20of%20GPOs..)%20which%20wins%3F%20what%20if%20there%20is%20a%20conflict%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPoorly%20explained%20and%20massive%20lack%20of%20fundamental%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1043995%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1043995%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20If%20we%20set%20LDAP%20Channel%20Binding%20%3D%200%20before%20the%20January%20update%20is%20deployed%2C%20will%20the%20update%20change%20the%20value%20from%200%20to%201%20or%20will%20customers%20need%20to%20come%20back%20after%20the%20update%20and%20reset%20it%20to%20%3D0%20to%20disabling%20it%3F%20Please%20advise%20and%20thank%20you!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1044149%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1044149%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20Good%20catch%20on%20the%20future%20updates.%20I%20wasn't%20thinking%20that%20far%20in%20advance%20yet%20%3A)%3C%2Fimg%3E%20--%20Speaking%20of%20updates.%20Do%20you%20anticipate%20these%20changes%20being%20in%20the%20Preview%20Updates%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1044233%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1044233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3Bsorry%20not%20aware%20of%20this%20yet%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1045483%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1045483%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20very%20much!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1046689%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1046689%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20Another%20follow-up%20to%20your%20response.%20Up%20til%20this%20point%20I%20have%20considered%20LDAP%20signing%20and%20LDAP%20CBT%20mutually%20exclusive.%20Is%20this%20accurate%3F%20For%20example%2C%20could%20we%20disable%20LDAP%20signing%3DREQUIRED%20and%20move%20forward%20with%20CBT%20%3D%201%3F%20These%20changes%20dont%20have%20to%20be%20done%20together%20right%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1046936%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1046936%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EAdding%20some%20other%20information%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EImportant%20to%20point%20out%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3ELDAP%20over%20TLS%2FSSL%20communication%20are%20already%20signed%20as%20TLS%20would%20detect%20any%20modification%20of%20the%20payload%20as%20it%20can't%20be%20decrypted.%20The%20behavior%20for%20LDAP%20simple%20binds%20and%20LDAP%20simple%20binds%20through%20SSL%20are%20as%20follows%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3ELDAP%20simple%20binds%20are%20rejected%20If%20signing%20is%20required%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3ELDAP%20simple%20binds%20through%20SSL%20are%20allowed%20If%20signing%20is%20required%20as%20that%26nbsp%3Bsatisfy%20the%20signing%20requirement%26nbsp%3B%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20dir%3D%22ltr%22%3E%3CFONT%20size%3D%223%22%3EAnother%20important%20aspect%3A%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%20dir%3D%22ltr%22%3E%3CFONT%20size%3D%223%22%3E%3CSTRONG%20class%3D%22%22%3ETurning%20off%20changes%20made%20by%20January%202020%20updates%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CBLOCKQUOTE%20dir%3D%22ltr%22%3E%0A%3CDIV%3E%3CFONT%20size%3D%223%22%3ESeparate%20registry%20key%20settings%20exist%20for%20LDAP%20Signing%20and%20Channel%20Binding.%20Setting%20registry%20values%20to%20zero%20reverts%20the%20OS%20back%20to%20the%20previous%20defaults%3A%20%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3ELdapServerIntegrity%20%3D%200%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3ELdapEnforceChannelBinding%20%3D%200%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%3CFONT%20size%3D%223%22%3EThe%20values%20can%20also%20be%20configured%20via%20Security%20Policies%20set%20via%20Group%20Policy%20(e.g.%20to%20automatically%20distribute%20the%20settings%20to%20all%20DCs)%3A%20%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3E%22Domain%20controller%3A%20LDAP%20server%20signing%20requirements%22%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3E%22Domain%20controller%3A%20LDAP%20server%20channel%20binding%20token%20requirements%22%20(will%20only%20show%20up%20in%20the%20UI%20after%20installing%20the%20upcoming%20fix)%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3ECBT%20setting%20will%20be%20introduced%20by%20the%20update%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EYou%20can%20separate%20the%20settings%2C%20having%20CBT%3D1%20and%20Signing%3D0.%20They%20are%20two%20separate%20settings%20that%20you%20can%20configure%20via%20registry%20or%20GPO%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CBLOCKQUOTE%20dir%3D%22ltr%22%3E%3CFONT%20size%3D%223%22%3EAlso%20if%20you%20download%20the%20latest%20SCT%201.0%20(security%20compliance%20toolkit)%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%26nbsp%3B%3C%2FA%3Eyou%20will%20find%20template%20%22SecGuide.admx%22%20and%20language%20file%20%22SecGuide.adml%22%20that%20you%20can%20import%20in%20your%20policies%20(Central%20Store%20or%20C%3A%5CWindows%5CPolicyDefinitions)%20and%20from%20which%20you%20can%20manage%20Extended%20Protection%20for%20LDAP.....(CBT)%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F159971iF99C42C1BCE9203B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FBLOCKQUOTE%3E%0A%3CBLOCKQUOTE%20dir%3D%22ltr%22%3E%0A%3CH1%20class%3D%22message-subject%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%3E%3CSPAN%20class%3D%22lia-message-unread%22%3E%3CA%20class%3D%22page-link%20lia-link-navigation%20lia-custom-event%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ESecurity%20baseline%20(FINAL)%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909%3A%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FH1%3E%0A%3CH1%20class%3D%22message-subject%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%3E%26nbsp%3B%3C%2FH1%3E%0A%3CH1%20class%3D%22message-subject%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%20class%3D%22lia-message-unread%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%3C%2FA%3E%3CA%20id%3D%22link_9%22%20class%3D%22page-link%20lia-link-navigation%20lia-custom-event%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%3C%2FA%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EAlso%20one%20of%20the%20things%20to%20be%20aware%20of%20is%20that%20%22Require%20Signing%22%20may%20have%20an%20impact%20on%20third-party%20systems%20if%20you%20don't%20configure%20them%20correctly.%20Some%20examples%20that%20I'm%20thinking%20of%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3EPrinters%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3EStorage%20Area%20Networks%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3EThird%20party%20OSs%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3EAppliances%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3Eother%20Hardware%20that%20interacts%20with%20DCs%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3Eetc%20etc%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3ERegards%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EAlan%26nbsp%3B%40%20PFE%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1048144%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1048144%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20all%20the%20additional%20information%20and%20links.%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20flagging%20up%20that%20I've%20tried%20changing%20the%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%20setting%20in%20the%20DDCP%20from%20None%20to%20Required%20and%20this%20changed%20the%20ldapserverintegrity%20registry%20entry%20from%201%20to%202%20(below%20HKLM%5CSystem%5CCurrentControlSet%5CServices%5CNTDS%5CParameters).%20Reverting%20the%20policy%20setting%20to%20None%20changed%20it%20back%20to%201.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1052957%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1052957%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F466611%22%20target%3D%22_blank%22%3E%40Ricoli610%3C%2FA%3E%3C%2FP%3E%3CP%3EMy%20tests%20confirm%20your%20remarks%3A%3C%2FP%3E%3CP%3EDC%3A%20LDAP%20server%20signing%20requirement%3A%20None%20(default)%20means%20%3CSPAN%3Eldapserverintegrity%20%3C%2FSPAN%3Eregistry%20value%201%3CBR%20%2F%3EDC%3A%20LDAP%20server%20signing%20requirement%3A%20Required%20means%20%3CSPAN%3Eldapserverintegrity%20%3C%2FSPAN%3Eregistry%20value%202%3C%2FP%3E%3CP%3E(and%20not%200%20and%201%20as%20expected%2C%20which%20is%20confusing)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20mean%20that%20the%20previous%20remark%20from%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20should%20be%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CEM%3E%3CFONT%20size%3D%223%22%3E%3CSTRONG%3ETurning%20off%20changes%20made%20by%20January%202020%20updates%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FEM%3E%3C%2FDIV%3E%3CBLOCKQUOTE%20dir%3D%22ltr%22%3E%3CDIV%3E%3CEM%3E%3CFONT%20size%3D%223%22%3ESeparate%20registry%20key%20settings%20exist%20for%20LDAP%20Signing%20and%20Channel%20Binding.%20Setting%20registry%20values%20to%20zero%20reverts%20the%20OS%20back%20to%20the%20previous%20defaults%3A%20%3C%2FFONT%3E%3C%2FEM%3E%3C%2FDIV%3E%3CUL%3E%3CLI%3E%3CEM%3E%3CFONT%20size%3D%223%22%3ELdapServerIntegrity%20%3D%20%3CU%3E%3CSTRONG%3E1%20(which%20means%20ldap%20server%20signing%20requirement%20none)%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FFONT%3E%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CFONT%20size%3D%223%22%3ELdapEnforceChannelBinding%20%3D%200%20(which%20means%20binding%20disabled)%3C%2FFONT%3E%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FBLOCKQUOTE%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20for%20confirming%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1054756%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1054756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425456%22%20target%3D%22_blank%22%3E%40romuel%3C%2FA%3E%20Great!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1060816%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1060816%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20those%20with%20Macs%2C%20it%20looks%20like%20they%20do%20not%20support%20CBT%20(Channel%20Binding%20Tokens)%20so%20it%20won't%20be%20possible%20to%20set%26nbsp%3B%3CEM%3E%3CFONT%20size%3D%223%22%3ELdapEnforceChannelBinding%26nbsp%3B%3C%2FFONT%3E%3C%2FEM%3E%3CFONT%20size%3D%223%22%3Eto%202%2C%20but%20it%20does%20work%20with%20it%20set%20to%201%20(Compatibility%20Mode).%26nbsp%3B%20%26nbsp%3BI'm%20guessing%20most%20people%20will%20have%20to%20stay%20in%20that%20mode%20anyway%2C%20due%20to%20an%20assortment%26nbsp%3Bof%203rd%20party%20things.%26nbsp%3B%20%26nbsp%3BThis%20was%20tested%20using%20the%20latest%20macOS%20(10.15)%20as%20well.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1061475%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1061475%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20there%20is%20a%20requirement%20to%20secure%20the%20binding%20with%20a%20certificate%2C%20either%20internal%20CA%20or%20third%20party%20CA%2C%20and%20the%20domain%20ends%20in%20.local%2C%20is%20it%20possible%20to%20obtain%20a%20certificate%20from%20a%20third%20party%20CA%20for%20a%20upn%20suffix%20that%20is%20available%20externally%20and%20use%20this%20instead%20to%20bind%20securely%3F%20Deploying%20an%20internal%20CA%20for%20many%20customers%20who%20have%20.local%20domains%20to%20allow%20successful%20ldap%20binds%20seems%20like%20an%20overkill.%20Thoughts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20a%20thought%20-%20I%20think%20based%20on%20the%20many%20comments%20and%20corrections%2C%20this%20article%20should%20be%20updated%20with%20clear%20instructions%20on%20the%20changes%20being%20made%2C%20how%20to%20enable%20such%20settings%20now%2C%20how%20to%20disable%20such%20settings%20when%20live%20etc.%20A%20lot%20of%20companies%20won't%20be%20ready%20for%20the%20January%20deadline%2C%20so%20a%20guide%20to%20ensuring%20smooth%20transition%20would%20be%20great.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1061626%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1061626%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20question%20here%2C%20according%20to%20the%202%20documents%20here%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELDAP%20channel%20binding%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELDAP%20signing%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ECan%20I%20just%20follow%20one%20doc%20to%20make%20my%20communications%20between%20LDAP%20clients%20and%20Active%20Directory%20domain%20controllers%20more%20secure%3F%20Or%20I%20must%20configure%20both%20the%202%20to%20get%20this%20advantages.%20What's%20the%20different%20them%2C%20please%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E-Justin%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1062339%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1062339%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486041%22%20target%3D%22_blank%22%3E%40Justin_Shi%3C%2FA%3E%26nbsp%3BHi%20Justin%2C%20you%20can%20go%20with%20only%20one%20but%20to%20cover%20all%20security%20concerns%20related%20to%20this%20issue%20we%20recommend%20to%20change%20both.%20Also%20because%20the%20update%20will%20update%20both.%3C%2FP%3E%0A%3CP%20class%3D%22c-heading-3%20article-heading%20ng-binding%20ng-scope%22%20aria-level%3D%221%22%3E%3CFONT%20size%3D%223%22%3EChannel%20Binding%20Token%20info%20(was%20FAQ)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Finternal.support.services.microsoft.com%2Fen-us%2Fhelp%2F2022970%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Finternal.support.services.microsoft.com%2Fen-us%2Fhelp%2F2022970%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EChannel%20Binding%20for%20TLS%20(ietf)%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-altman-tls-channel-bindings-07%23page-6%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-altman-tls-channel-bindings-07%23page-6%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3E%3CA%20id%3D%22kb-link-2%22%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2017-8563%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bintroduces%20a%20registry%20setting%20that%20administrators%20can%20use%20to%20help%20make%20LDAP%20authentication%20over%20SSL%2FTLS%20more%20secure.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%20class%3D%22ng-scope%22%3E%0A%3CLI%3EBefore%20you%20enable%20this%20setting%20on%20a%20Domain%20Controller%2C%20clients%20must%20install%20the%20security%20update%20that%20is%20described%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20id%3D%22kb-link-2%22%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2017-8563%3C%2FA%3E.%20Otherwise%2C%20compatibility%20issues%20may%20arise%2C%20and%20LDAP%20authentication%20requests%20over%20SSL%2FTLS%20that%20previously%20worked%20may%20no%20longer%20work.%20By%20default%2C%20this%20setting%20is%20disabled.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EThe%20LdapEnforceChannelBindings%20registry%20entry%20must%20be%20explicitly%20created.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22%22%3ELDAP%20server%20responds%20dynamically%20to%20changes%20to%20this%20registry%20entry.%20Therefore%2C%20you%20do%20not%20have%20to%20restart%20the%20computer%20after%20you%20apply%20the%20registry%20change%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22%22%3ERegards%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22%22%3EAlan%26nbsp%3B%40%20PFE%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1044075%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1044075%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3BThe%20update%20will%20change%20to%201%20in%20DDCpolicy.%20You%20will%20have%20to%20set%20back%20to%200.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20installing%20ADV190023%20both%26nbsp%3Bsettings%20(even%20None%20and%20Not%20Defined)%26nbsp%3Bwill%20enforce%20Require%20Signature.%3CBR%20%2F%3E%3CSTRONG%3EOnly%200%20(OFF)%20will%20not%20enforce%20Require%26nbsp%3BSignature.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20the%20way%20with%20CBT%3D1%20you%20shouldn't%20have%20issues%2C%20that's%20a%20sort%20of%20accept%20all.%26nbsp%3B%3CSPAN%3EThis%20is%20an%20intermediate%20option%20that%20allows%20for%20application%20compatibility.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIssue%20could%20arise%20with%20LDAP%20Signing%3DRequire%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068223%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068223%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%2C%20just%20as%20an%20example%2C%20once%20you%20have%20enabled%20auditing%20modifying%20registry%20key%20%2216%20LDAP%20Interface%20Events%22%2C%20you%20can%20use%20the%20following%20powershell%20to%20search%20every%20DC%20for%20EventID%202889%20and%20list%20IP%20and%20Account%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20only%20an%20example%20(only%20the%20last%2050%20events%20will%20be%20listed%2C%20if%20you%20need%20more%20change%20the%20value%20in%20-maxevents)%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%24DCs%3DGet-ADDomainController%20-filter%20*%3CBR%20%2F%3Eforeach%20(%24DC%20in%20%24DCs)%3CBR%20%2F%3E%7B%3CBR%20%2F%3Ewrite-host%20%24DC.hostname%3CBR%20%2F%3Eget-winevent%20-computername%20%24DC%20-logname%20%22directory%20Service%22%20-maxevents%2050%20%7C%20%3F%7B%24_.id%20-eq%202889%7D%7C%25%7BWrite-Output%20%22%24(%24_.timecreated)%3A%20%24(%24_.properties%5B0%5D.value)%3D%26gt%3B%24(%24_.properties%5B1%5D.value)%22%7D%3CBR%20%2F%3E%7D%26nbsp%3B%20%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068485%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068485%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20the%20script%20is%20helpful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20confused%20as%20to%20why%20I%20saw%20no%20events%20listed%20on%204%20of%205%20DCs%20until%20I%20realized%20that%20(of%20course)%20the%20last%2050%20events%20are%20listed%20*before*%20filtering%20for%20Event%20ID%202889.%20If%20you%20have%20lots%20of%20other%20Directory%20Services%20events%2C%20the%20last%2050%20may%20not%20include%20any%20for%20Event%20ID%202889.%20Keep%20that%20in%20mind%20when%20running%20the%20script.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068846%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068846%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20Do%20you%20know%20if%20the%20LDAP%20Signing%20registry%20keys%20are%20dynamic%20like%20the%20CBT%20keys%3F%3F%20Is%20a%20reboot%20required%20for%20those%20to%20take%20effect%3F%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CNTDS%5CParameters%20LDAPServerIntegrity%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5Cldap%5CParameters%20ldapclientintegrity%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070198%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070198%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20make%20it%20clearer%20in%20the%20article%2C%20that%20the%20table%20that%20explains%20behavior%20change%20is%20actually%20about%20%22%3CEM%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%3C%2FEM%3E%22%20GPO.%20It%20was%20not%20evident%20at%20all%2C%20until%20I%20read%20all%20other%20comments.%20Possibly%2C%20because%20GPO%20doesn't%20contain%20%22OFF%22%20setting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20correct%2C%20that%20after%20this%20update%2C%20if%20we%20want%20to%20have%20at%20least%201%20application%20not%20using%20LDAP%20Signing%2C%20we%20have%20to%20remove%20this%20GPO%20setting%20completely%2C%20and%20create%20a%20registry%20key%20with%20value%20%220%22%2C%20completely%20turning%20off%20LDAP%20Signing%20in%20whole%20domain%2C%20for%20all%20clients%3F%20If%20not%2C%20how%20do%20we%20enable%20one%20application%20not%20require%20LDAP%20signing%20(if%20it%20doesn't%20support%20LDAPS)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20is%20the%20description%20of%20the%20policy%20today.%20Why%20does%20it%20say%20that%20LDAP%20Simple%20Bind%20is%20not%20affected%3F%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20security%20setting%20determines%20whether%20the%20LDAP%20server%20requires%20signing%20to%20be%20negotiated%20with%20LDAP%20clients%2C%20as%20follows%3A%3C%2FP%3E%3CP%3ENone%3A%20Data%20signing%20is%20not%20required%20in%20order%20to%20bind%20with%20the%20server.%20If%20the%20client%20requests%20data%20signing%2C%20the%20server%20supports%20it.%3CBR%20%2F%3ERequire%20signature%3A%20Unless%20TLS%5CSSL%20is%20being%20used%2C%20the%20LDAP%20data%20signing%20option%20must%20be%20negotiated.%3C%2FP%3E%3CP%3EDefault%3A%20This%20policy%20is%20not%20defined%2C%20which%20has%20the%20same%20effect%20as%20None.%3C%2FP%3E%3CP%3ECaution%3C%2FP%3E%3CP%3EIf%20you%20set%20the%20server%20to%20Require%20Signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20loss%20of%20connection%20with%20the%20server.%3C%2FP%3E%3CP%3ENotes%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3EThis%20setting%20does%20not%20have%20any%20impact%20on%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL.%20No%20Microsoft%20LDAP%20clients%20that%20are%20shipped%20with%20Windows%20XP%20Professional%20use%20LDAP%20simple%3C%2FFONT%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070310%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070310%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20If%20LDAPServerIntegrity%20%3D%200%20on%20the%20Domain%20Controller%20side%20does%20the%20client%20side%20ldapclientintegrity%20need%20to%20be%20%220%22%20as%20well%20or%20would%20%221%22%20Negotiate%20still%20work%3F%20Thanks%20for%20the%20updated%20info%20and%20charts%20related%20to%20the%20%22None%22%20and%20%22Not%20Defined%22%20behavior.%20This%20helps%20for%20the%20customers%20that%20are%20working%20on%20plans%20to%20disabled.%20It%20might%20help%20to%20add%20some%20verbiage%20around%20the%20client%20side.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070331%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070331%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELDAPServerIntegrity%20%3D%200%20on%20the%20Domain%20Controller%20side%20%2C%20this%20will%20remain%200%20when%20you%20install%20update%20(releasing%20in%20March%202020)%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EClient%20Side%20leave%20%3D%201%20meaning%20%22negotiate%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESo%20to%20disable%20this%20LDAP%20Signing%20you%20have%20to%20set%20Domain%20Controller%20Policy%20to%200%20(zero%20%3D%20OFF)%3C%2FSTRONG%3E.%20This%20wont%20be%20touched%20by%20the%20March%202020%20update%20or%20future%20updates.%20I%20want%20to%20point%20out%20that%20this%20is%20NOT%20Recommended%20obviously%20as%20you%20are%20leaving%20your%20environment%20not%20secure.%3C%2FP%3E%0A%3CP%3ELDAP%20CBT%20is%20not%20a%20concern%20with%20March%202020%20update.%20Leaving%20%3D%201%20means%20%22negotiate%22.%3C%2FP%3E%0A%3CP%3EWhen%20possible%2C%20consider%20configuring%20CBT%20%3D%202%20in%20order%20to%20ensure%20higher%20security%20for%20TLS%20as%20well%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40%20PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070346%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070346%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20the%20help%20for%20Client%20Signing%20Requirements%2C%20Negotiate%20is%20the%20default.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20said%2C%20I%20have%20a%20GPO%20set%20for%20a%20few%20clients%20with%20Client%20Signing%20set%20to%20%222%22%20(Require%20Signing)%20and%20I%20have%20no%20issues%2C%20even%20though%20the%20DCs%20are%20still%20set%20to%20None.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070349%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070349%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20Most%20definitely%2C%20the%20plan%20is%20to%20get%20these%20features%20enabled%20however%20we%20haven't%20had%20another%20lead%20time%20to%20get%20the%20logging%20enabled%20and%20run%20down%20the%201000's%20of%20LDAP%20client%20apps%20we%20have.%20Its%20definitely%20on%20our%20radar.%20A%20couple%20of%20followups%201%20--%20Are%20you%20hinting%20that%20the%20updates%20might%20be%20pushed%20to%20March%20(would%20look%20at%20the%20official%20Advisory%20for%20this%20soon)%3F%202%20--%20For%20LDAP%20Clients...%20The%202020%20updates%20will%20NOT%20change%20the%20%22Negotiate%22%20to%20%22Required%22%3F%20or%20is%20it%20irrelevant%20if%20the%20DC%2FLDAP%20server%20side%20is%20set%20to%20%220%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070355%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070355%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%20--%20Thats%20what%20we%20have%20been%20testing%20but%20it%20looks%20like%20the%20behavior%20of%20%221%22%20or%20%22None%22%20changes%20with%20the%20updates.%20Check%20out%20Alan's%20updates%20in%20the%20main%20part%20of%20the%20thread.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070515%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070515%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20change%20in%20behavior%20that%20I%20see%20is%20in%20regards%20to%20Not%20Defined%20and%20None%20changing%20from%20the%20current%20Off%20to%20Required%20once%20the%20patch%20is%20released.%20(I%20believe%20this%20applies%20to%20both%20Server%20and%20Client%20side.)%20That%20is%20definitely%20important%20information%20to%20have%2C%20but%20it%20seems%20as%20though%20I'm%20simulating%20the%20changes%20that%20you%20asked%20about.%20If%20fact%2C%20I'm%20going%20beyond%20that%20by%20setting%20the%20clients%20to%202%20and%20leaving%20the%20DCs%20at%201.%20After%20the%20patch%2C%20this%20apparently%20will%20need%20to%20be%20changed%20to%200%20on%20the%20DCs.%20That%20seems%20to%20be%20the%20only%20thing%20I%20would%20have%20to%20do%20in%20order%20to%20be%20in%20the%20same%20state%20as%20my%20current%20test%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20I'm%20missing%20something%2C%20as%20I'm%20simply%20trying%20to%20understand%20this%20myself.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070451%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070451%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20policy%20%22%3CEM%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%22%3C%2FEM%3E%20contains%20only%20settings%20%22None%22%20and%20%22Require%20Signing%22.%20So%20if%20we%20need%20to%20set%20the%20policy%20to%20OFF%2C%20one%20of%20the%20way%20would%20be%20to%20set%20this%20setting%20in%20Group%20Policy%20to%20%22Not%20Defined%22%20and%20then%20specify%20the%20registry%20key%20in%20GP%20Preferences%2C%20with%20value%200%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20effect%20when%20LDAPServerIntegrity%3D0%2C%20if%20Client%20is%20configured%20to%20Require%20Signing%3F%20Will%20they%20not%20be%20able%20to%20communicate%2C%20or%20will%20Domain%20Controller%20accept%20signed%20traffic%2C%20even%20if%20signing%20is%20OFF%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrent%20description%20of%20this%20policy%20says%20that%20%22This%20setting%20does%20not%20have%20any%20impact%20on%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL.%22%20It%20would%20be%20nice%20if%20the%20description%20is%20corrected%20to%20match%20the%20information%20you%20provided.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20my%20previous%20commented%20been%20deleted%20for%20the%20red%20text%2C%20highlighting%20wrong%20description%20on%20GPO%3F%20Wow!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070541%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070541%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%20--%20I%20think%20we%20all%20are%20%3A)%3C%2Fimg%3E%20Basically%20you're%20saying%20as%20long%20as%20its%20off%20on%20the%20DC%20side%2C%20it%20doesn't%20matter%20what%20the%20client%20side%20is%20right%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070598%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070598%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20my%20take.%20For%20the%20time%20being%2C%20if%20your%20DCs%20are%20set%20to%20%22None%22%20in%20their%20GPO%20and%20if%20you%20set%20a%20test%20workstation%20GPO%20to%20Required%2C%20that%20will%20be%20a%20legitimate%20test%2C%20as%20far%20as%20I%20can%20tell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOf%20course%2C%20this%20brings%20up%20at%20least%20one%20more%20question.....Will%20there%20be%20additional%20settings%20in%20the%20GP%20Editor%20after%20the%20patch%3F%20Or%20will%20it%20require%20a%20Registry%20setting%20in%20Group%20Policy%20Preferences%2C%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%20mentioned%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071111%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071111%22%20slang%3D%22en-US%22%3EIt%20looks%20like%20the%20official%20advisory%20has%20been%20updated%20to%20March%202020%20now.%20--%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071555%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071555%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20policy%20%22%3C%2FSPAN%3E%3CEM%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%22%3C%2FEM%3E%3CSPAN%3E%26nbsp%3Bcontains%20only%20settings%20%22None%22%20and%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIf%20you%20need%20to%20set%20the%20policy%20to%20OFF%20you%20need%20to%20modify%20registry%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20registry%20there%20are%202%20settings%20for%20Ldap%20Signing%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDomain%20Controller%20side%20%3A%26nbsp%3BHKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CSTRONG%3ENTDS%3C%2FSTRONG%3E%5CParameters%26nbsp%3B%3CSTRONG%3E%26nbsp%3B--%26gt%3B%20LDAPServerIntegrity%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3D%200%20--%26gt%3B%20THIS%20means%20OFF%2C%20only%20ZERO%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EClient%2Fserver%20side%20%3A%26nbsp%3BHKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CSTRONG%3ELDAP%5C%3C%2FSTRONG%3EParameters%26nbsp%3B%3CSTRONG%3E%26nbsp%3B--%26gt%3B%20LDAPServerIntegrity%3D%201%20--%26gt%3B%20DON'T%20TOUCH%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%3C%2FP%3E%0A%3CP%3EZERO%20wont%20be%20changed%3C%2FP%3E%0A%3CP%3EONE%20will%20change%20to%20Required%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDon't%20go%20through%20the%20description%20in%20the%20policy%2C%20very%20confusing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40%20PFE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071610%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071610%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20is%20possible%20at%20all%2C%20I%20would%20really%20ask%20you%20to%20reconsider%20changing%20behaviour%20of%20ONE.%20Because%20this%20behaviour%20change%20will%20be%20disruptive%20for%2095%25%20of%20companies%20using%20AD%2C%20which%20is%20bigger%20than%20300%20people.%20Corporate%20IT%20people%20usually%20don't%20have%20competence%20to%20look%20that%20deep%20into%20AD%2C%20while%20bigger%20companies%20will%20have%20no%20option%2C%20rather%20than%20to%20turn%20off%20LDAP%20Signing%20completely%2C%20as%20the%20risk%20is%20too%20high%20(edit%3A%20because%20of%20the%20large%20amount%20of%203rd%20party%20applications).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPreparing%20for%20this%20change%20properly%20(Setting%20Domain%20Controller%20to%20Require%20Signing%20in%20advance%20with%20a%20controlled%20change)%2C%20monitoring%20unsigned%20LDAP%2C%20reconfiguring%20applications%20to%20use%20LDAP%20SSL%20for%20all%20our%20clients%20would%20probably%20take%205%20months%2C%20if%20we%20have%20good%20manning.%20It's%20going%20to%20cost%20millions%20of%20USD%20for%20large%20or%20medium%20service%20providers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072071%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072071%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20all%20of%20our%20LDAP%20clients%20are%20already%20using%20LDAPS%20(port%20636)%2C%20does%20this%20still%20apply%3F%3F%3C%2FP%3E%3CP%3EOr%20is%20all%20of%20this%20only%20necessary%20if%20you%20have%20basic%20LDAP%20clients%20(port%20389)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072110%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072110%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492744%22%20target%3D%22_blank%22%3E%40graberj%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162321i9ADF406945D6C21D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070638%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070638%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%20%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%3A%20I'm%20terribly%20sorry%2C%20but%20my%20test%20was%20wrong%2C%20as%20it%20was%20something%20wrong%20with%20the%20test%20server%2C%20before%20I%20started.%20Another%20server%20doesn't%20exhibit%20same%20issues.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRIKE%3EI%20just%20made%20a%20test%2C%20setting%20LdapServerIntegrity%20on%20Domain%20Controllers%20to%200%20and%20setting%20one%20of%20the%20client%20to%20%22Require%20Integrity%22.%20As%20a%20result%2C%20I%20get%20Event%20ID%201216%20on%20DC%3A%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSTRIKE%3EInternal%20event%3A%20An%20LDAP%20client%20connection%20was%20closed%20because%20of%20an%20error.%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRIKE%3EClient%20IP%3A%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3Exxx.xxx.xxx.xxx%3A55041%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRIKE%3EAdditional%20Data%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3EError%20value%3A%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3E1236%20The%20network%20connection%20was%20aborted%20by%20the%20local%20system.%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3EInternal%20ID%3A%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3Ec060420%3C%2FSTRIKE%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CSTRIKE%3EAfter%20restart%20on%20the%20client%3A%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSTRIKE%3ENetlogon%20EVENT%20ID%203210%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRIKE%3EThis%20computer%20could%20not%20authenticate%20with%20%5C%5C%3CDC%20fqdn%3D%22%22%3E%2C%20a%20Windows%20domain%20controller%20for%20domain%20%3CDOMAIN%20name%3D%22%22%3E%2C%20and%20therefore%20this%20computer%20might%20deny%20logon%20requests.%20This%20inability%20to%20authenticate%20might%20be%20caused%20by%20another%20computer%20on%20the%20same%20network%20using%20the%20same%20name%20or%20the%20password%20for%20this%20computer%20account%20is%20not%20recognized.%20If%20this%20message%20appears%20again%2C%20contact%20your%20system%20administrator.%3C%2FDOMAIN%3E%3C%2FDC%3E%3C%2FSTRIKE%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRIKE%3ESo%20that%20means%2C%20if%20Microsoft%20doesn't%20change%20behaviour%20of%20the%20%22OFF%22%20setting%2C%20we%20will%20have%20to%20turn%20off%20LDAP%20Signing%20for%20the%20whole%20domain%2C%20if%20we%20have%20even%20a%20single%20client%2C%20not%20supporting%20it.%20We%20will%20have%20to%20make%20sure%20all%20clients%20are%20configured%20to%20Negotiate%20signing%20also.%20Furthermore%2C%20we%20will%20have%20to%20do%20it%20before%20the%20update%2C%20otherwise%20systems%20will%20stop%20working%2C%20like%20VPN%2C%20Proxy%2C%20NAS%2C%20Linux%20systems%2C%20Network%20appliances%20and%20other%20stuff%2C%20like%20Java%20plug-ins%20connecting%20to%20AD.%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRIKE%3EAwesome%20Christmas%20present%2C%20thank%20you%2C%20Microsoft!%3C%2FSTRIKE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072163%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072163%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%2C%20but%20I%20don't%20understand%20that%20chart.%26nbsp%3B%20There%20are%20check%20marks%20under%20both%20columns%20which%20seems%20contradictory.%26nbsp%3B%20Can%20you%20just%20respond%20to%20my%20questions%20with%20specific%20answers%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072220%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%20%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20previous%20post%20with%20test%20results%20was%20wrong%2C%20I%20selected%20a%20test%20server%20which%20had%20some%20issues.%20Sorry%20for%20misleading.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20repeat%20the%20test%20with%20another%20server%20and%20it%20looks%20like%2C%20the%20behaviour%20of%20%3CSPAN%3E%3CSTRONG%3ELDAPServerIntegrity%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3D%200%3C%2FSTRONG%3E%3C%2FSPAN%3E%20is%20actually%20%22%3CSTRONG%3ENegotiate%3C%2FSTRONG%3E%22%20and%20not%20%22Disable%22.%20So%20if%20we%20set%20it%20to%200%20before%20the%20update%20arrives%2C%20there%20should%20be%20no%20consequence%20for%20the%20environment%2C%20after%20update.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20%2C%20could%20you%20please%20confirm%20that%20this%20is%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096556%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263812%22%20target%3D%22_blank%22%3E%40knppdmnq%3C%2FA%3E%26nbsp%3Bremember%20that%20the%20only%20way%20to%20disable%20LDAP%20Signing%20%22before%22%20installing%20March%20or%20later%20updates%2C%20is%20to%20set%20registry%20key%20%3D%200%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELDAPServerIntegrity%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3D%200%20%3C%2FSTRONG%3E(obviously%20not%20recommended)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096608%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096608%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263812%22%20target%3D%22_blank%22%3E%40knppdmnq%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EInitial%20article%20was%20updated%20with%20information%20that%20%3CFONT%20face%3D%22Calibri%22%3E%22LDAP%20server%20signing%20requirements%22%20set%20to%20%22None%22%3C%2FFONT%3E%20will%20effectively%20become%20%22Require%20Signing%22%20after%20the%20update.%20So%20in%20order%20to%20keep%20%22negotiate%22%20behaviour%2C%20you%20have%20to%20set%20registry%20key%20LDAPServerIntegrity%26nbsp%3Bto%200%2C%20while%20%22none%22%20sets%20this%20key%20to%201.%3C%2FP%3E%3CP%3ESorry%2C%20just%20noticed%20Alan%20has%20already%20answered%20it%20while%20I%20was%20replying.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096898%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096898%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3Bno%20problem%20thanks%20for%20answering%2C%20I'm%20glad%20to%20see%20how%20comments%20are%20helping%20others%2C%20GREAT!!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096907%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096907%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20all%20of%20our%20LDAP%20clients%20are%20already%20using%20LDAPS%20(port%20636)%2C%20does%20anything%20need%20to%20be%20changed%3F%3F%3C%2FP%3E%3CP%3EOr%20is%20all%20of%20this%20only%20necessary%20if%20you%20have%20basic%20LDAP%20clients%20(port%20389)%3F%3C%2FP%3E%3CP%3EThe%20chart%20in%20the%20docs%20don't%20really%20answer%20this%20question.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098427%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%26lt%3B%26lt%3B%20So%20in%20order%20to%20keep%20%22negotiate%22%20behaviour%2C%20you%20have%20to%20set%20registry%20key%20LDAPServerIntegrity%26nbsp%3Bto%200%2C%20while%20%22none%22%20sets%20this%20key%20to%201.%26gt%3B%26gt%3B%3C%2FP%3E%3CP%3EYes%2C%20admins%20have%20to%20make%20sure%20that%20the%20negotiate%20behavior%20works%20until%20every%20application%20and%20all%20systems%20are%20reconfigured.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20March%202020%20update%2C%20the%3CSTRONG%3E%20operating%20system%20itself%3C%2FSTRONG%3E%20will%20change%20the%20interpretation%20of%20the%20%22ldapserverintegrity%22%20registry%20key%20values%2C%20is%20that%20correct%20%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%2C%20you%20meant%20that%20the%20March%20update%20change%20the%20DDCP.%20This%20will%20not%20happen%20if%20the%20registry%20value%20for%20DCs%20is%20%220%22%2C%20is%20that%20correct%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVia%20GPO%20the%20setting%20can%20be%20configured%20to%20%22None%22%20(value%20%221%22)%20or%20%22Require%20signing%22%20(value%20%222%22).%20To%20make%20sure%20the%20value%20is%20%220%22%2C%20the%20LDAP%20server%20signing%20in%20GPO%20have%20to%20be%20changed%20to%20%22Not%20configure%22%20and%20set%20the%20registry%20manually%20(!)%20on%20all%20DCs.%20Is%20that%20correct%20%3F%3C%2FP%3E%3CP%3EIs%20there%20an%20ADMX%20update%20with%20March%20update%20to%20configure%20%22OFF%22%20via%20GPO%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098765%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098765%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492744%22%20target%3D%22_blank%22%3E%40graberj%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20that%20was%20my%20understanding%20and%20I%20have%20just%20confirmed%20it%20with%20ldp.exe%20.%20If%20you%20use%20LDAPS%20(TCP%2F636)%20then%20your%20traffic%20is%20considered%20as%20already%20signed%20and%20your%20environment%20will%20not%20be%20affected.%20Just%20remember%2C%20that%20there's%20also%20LDAP%20Global%20Catalogue%203268%20and%20LDAP%20GC%20SSL%203269.%20If%20you%20are%20using%20port%203268%2C%20it%20will%20be%20affected%20same%20as%20LDAP%20on%20port%20389.%20So%20I%20would%20recommend%20enabling%20diagnostic%20logging%20and%20make%20sure%20you%20get%20no%20events%202889.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263812%22%20target%3D%22_blank%22%3E%40knppdmnq%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20that%20is%20correct%2C%20based%20on%20what%20Alan%20has%20written%20in%20this%20article%2C%20the%20operating%20system%20will%20change%20the%20interpretation%20of%20%22ldapserverintegrity%22%3D%22None%22%20value.%20Today%20it%20is%20%22Negotiate%22%2C%20but%20will%20become%20%22Require%20signing%22.%3C%2FP%3E%3CP%3EDDCP%2C%20if%20you%20mean%20Default%20Domain%20Controllers%20policy%20will%20not%20be%20changed.%3C%2FP%3E%3CP%3EThis%20setting%20is%20a%20part%20of%20Security%20Settings%2C%20so%20it%20cannot%20come%20as%20update%20in%20ADMX%20template.%20It%20should%20be%20possible%20to%20create%20a%20custom%20ADMX%20template%20for%20this%20setting%2C%20but%20I%20would%20rather%20use%20GP%20Preferences%20and%20registry%20key.%20No%20need%20to%20do%20it%20manually.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099558%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099558%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B(or%20anyone)%20So%20if%20we%20know%20most%20of%20our%20LDAP%20traffic%20is%20over%20389%20and%20unsigned%2C%20and%20we%20can%20see%20the%20DC%20event%20logs%20showing%20that%20most%20requests%20in%20a%2024%20hour%20period%20are%20unsigned%2C%20and%20it's%20completely%20unrealistic%20to%20move%20all%20these%20apps%20over%20to%20signed%20LDAP%20by%20March%202020%2C%20is%20our%20only%20option%20to%20set%26nbsp%3B%3CSTRONG%3ELDAPServerIntegrity%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3D%200%20%3C%2FSTRONG%3Eto%20continue%20as%20normal%20until%20we%20can%20attempt%20a%20more%20measured%20approach%20towards%20moving%203rd%20party%20applications%20to%20signed%20LDAP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20looking%20for%20confirmation%20that%20I've%20read%20and%20understood%20everything%20correctly--%20this%20is%20all%20fairly%20deep%2Fdense%20information%20for%20someone%20not%20intimately%20familiar%20with%20LDAP.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101081%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101081%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F512281%22%20target%3D%22_blank%22%3E%40JMHahn%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20you%20write%20is%20exactly%20what%20we%20are%20planning%20to%20do%20for%20our%20customers.%20Alternative%20to%20this%20will%20be%20to%20postpone%20patching%2C%20which%20we%20might%20be%20forced%20to%20do%20if%20we%20don't%20manage%20to%20distribute%20this%20setting%20to%20few%20hundreds%20of%20domains%20before%20mid-March.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20was%20a%20suggestion%20from%20a%20colleague%20of%20mine%2C%20to%20set%20LDAPServerIntegrity%3D0%20on%20only%20one%20or%20two%20DCs%2C%20leaving%20the%20rest%20with%20more%20secure%20settings.%20Although%2C%20I%20don't%20see%20a%20big%20benefit%20in%20doing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101212%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101212%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20article%20states%3A%26nbsp%3BYou%20need%20to%20have%20this%26nbsp%3BCVE-2017-8563%26nbsp%3Binstalled%20on%20your%26nbsp%3Bclients%26nbsp%3Bas%20a%20prerequisite%26nbsp%3Bbefore%20enabling%20LDAP%20Channel%20Binding%20and%20LDAP%20Integrity%20on%20DCs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cant%20find%20the%20patch%20for%20Windows%2010%201809.%20Does%20this%20version%20of%20Windows%2010%20already%20have%20the%20patch%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096532%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096532%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E!!!%20Updated%20!!!%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThanks%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20a%20certain%20way%20i%20agree%20with%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F470948%22%20target%3D%22_blank%22%3E%40BBCMicro%3C%2FA%3E.%20It%20takes%20a%20while%20to%20understand%20what%20an%20admin%20have%20to%20do%20to%20prepare%20for%20the%20update.%20I'm%20wondering%20that%20MS%20will%20enforce%20LDAP%20signing%20which%20could%20cause%20applications%20stop%20working.%26nbsp%3BBut%20it's%20true%2C%20LDAP%20without%20signing%20should%20be%20switched%20off%20long%20ago.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22Calibri%22%3E%3CFONT%20size%3D%224%22%3EMy%20suggestion%20for%20this%20issue%20(check%20it%20yourself%20!)%3A%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EIgnore%20LDAP%20channel%20binding%20token%20(LDAP%20CBT)%20stuff%3A%20The%20setting%20in%20March%202020%20update%20will%20be%20%22compatibility%20mode%22.%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWith%20March%202020%20update%2C%20the%20operating%20system%20itself%20will%20change%20the%20interpretation%20of%20the%20%22ldapserverintegrity%22%20registry%20key%20value.%3C%2FSPAN%3E%3CUL%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3EWithout%20the%20March%202020%20update%2C%20%22not%20defined%22%2C%20%220%22%20and%20%221%22%20means%20%22Negotiate%22%3B%20%222%22%20means%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3EWith%20the%20March%202020%20update%2C%20%220%22%20means%20%22Negotiate%22%3B%20%22not%20defined%22%2C%20%221%22%20and%20%222%22%20means%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3E%220%22%20can%20not%20be%20set%20via%20GPO%20security%20setting%20%22LDAP%20server%20signing%20requirements%22%20(%22None%22%20%3D%20%221%22%2C%20%22Require%20signing%22%20%3D%202)%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EIf%20LDAP%20server%20is%20set%20to%20require%20signing%2C%20the%20LDAP%20client%20setting%20of%20all%20clients%20and%20the%20DCs%20itself%20must%20be%20set%20to%20require%20signing.%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EWith%20rsop.msc%20or%20gpresult%2C%20check%20the%20DC%20effective%20settings%20for%20%22Computer%20Configuration%2FWindows%20Settings%2FSecurity%20Settings%2FLocal%20Policies%2FSecurity%20Options%2FDomain%20Controller%3A%20LDAP%20server%20signing%20requirements%22%3C%2FFONT%3E%3CUL%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EIf%20%22Require%20signature%22%20%3D%26gt%3B%20all%20done%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EIf%20%22None%22%3C%2FFONT%3E%3CUL%3E%3CLI%3E%26nbsp%3BStart%20analyzing%20LDAP%20clients%20NOW%3CUL%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3ECheck%20DC%20Eventlogs%20for%20Event%20ID%202887%20(once%20per%2024%20hours)%3B%20it%20indicates%20that%20there%20are%20unsigned%20requests%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3EStart%20with%20temporary%20enabling%20NTDS%2FDiagnostics%3A%20LDAP%20Interface%20Events%3ADWORD%3A2%20on%20a%20few%20DCs%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3EUse%20Powershell%20to%20analyze%20the%20DC%20events%202889%20(see%20Alans%20post%20%E2%80%8E12-16-2019%2005%3A59%20AM%20as%20template)%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3ECreate%20a%20new%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%20with%20Preference%2FRegistry%20%22ldapserverintegrity%22%20set%20to%20%220%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3ELink%20the%20new%20GPO%20to%20the%20OU%20%22Domain%20Controllers%22%20(or%20the%20OU%20where%20the%20DC%20computer%20objects%20reside)%20with%20Link%20Order%20%221%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3EDo%20%22gpupdate%20%2Fforce%22%20two%20times%20on%20a%20DC%20and%20check%20that%20the%20new%20GPO%20is%20applied%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3ECheck%20that%20all%20DCs%20has%20%22ldapserverintegrity%22%20set%20to%20%220%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3D%3D%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E%20prepared%20for%20the%20March%202020%20update%2C%20Negotiate%20enabled%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EIf%20ready%20to%20enable%20LDAP%20signing%3C%2FFONT%3E%3CUL%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20that%20the%20original%20DDCP%20(or%20your%20own%20DDCP)%20has%20%22LDAP%20server%20signing%20requirements%22%20set%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20that%20the%20original%20DDCP%20(or%20your%20own%20DDCP)%20has%20%22Network%20security%3A%20LDAP%20client%20signing%20requirements%22%20set%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EConfigure%20GPOs%20for%20Domain%20members%20to%20%22Require%20signing%22%20(Network%20security%3A%20LDAP%20client%20signing%20requirements)%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20that%20all%20clients%20works%20wih%20LDAP%20signing%20(Event%202887)%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EDisable%20the%20link%20for%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EDo%20a%20%22gpupdate%20%2Fforce%22%20on%20an%20DC%20and%20check%20that%20the%20LDAP%20server%20signing%20has%20changed%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20that%20all%20DCs%20has%20%22ldapserverintegrity%22%20set%20to%20%222%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20for%20problems%3B%20rollback%20with%20linking%20the%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%20with%20Link%20Order%20%221%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EAfter%20a%20couple%20of%20weeks%2C%20if%20all%20works%20fine%2C%20delete%20the%20GPO%26nbsp%3B%20%22DC%20LDAP%20Signing%20None%22%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EAfter%20March%202020%20update%3C%2FFONT%3E%3CUL%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3ECheck%20to%20update%20the%20Central%20Store%3B%20LDAP%20CBT%20settings%20may%20become%20available%20for%20configuring%20in%20GPMC%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3Edecide%20whether%20LDAP%20CBT%20compatibility%20is%20secure%20enough%3B%20otherwise%20use%20LDAP%20Interface%20Events%20to%20analyze%20DS%20events%203039%2C3040%20and%20take%20further%20action%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EDon't%20forget%20AD%20LDS%3A%20LDAP%20server%20signing%20have%20to%20be%20configured%20for%20every%20instance%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FA%3E)%20By%20default%2C%20for%20Active%20Directory%20Lightweight%20Directory%20Services%20(AD%20LDS)%2C%20the%20registry%20key%20is%20not%20available.%20Therefore%2C%20you%20must%20create%20a%20LDAPServerIntegrity%20registry%20entry%20of%20the%20REG_DWORD%20type%20under%20the%20following%20registry%20subkey%3A%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CINSTANCENAME%3E%5CParameters%3C%2FINSTANCENAME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101329%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101329%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20updated%20my%20post%20from%2001-08-20.%20Thanks%20for%20support.%3C%2FP%3E%3CP%3E%3CFONT%3EI%20hope%20I%20have%20described%20everything%20correctly%20and%20others%20can%20use%20it%20as%20a%20template%20to%20deal%20with%20this%20topic.%20Good%20luck%20in%20march.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101401%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101401%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3BYou%20would%20definitely%20want%20to%20know%20which%20DCs%20receive%20normal%20389%20LDAP%20authentication%20request%20from%20third-party%20applications%20before%20you%20decide%20which%20DC%20to%20include%2Fexclude.%20This%20wouldn't%20be%20difficult%20via%20the%20event%20logs%2C%20but%20you%20would%20want%20to%20quadruple%20check%20everything.%20The%20benefit%20is%20that%20you'd%20have%20a%20%22patched%22%20DC%20of%20which%20to%20direct%20third%20party%20apps%20once%20you%20enable%20signed%20LDAP%20for%20testing.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20feel%20like%20this%20is%20a%20good%20answer%20to%20client-to-DC%20LDAP%20authentication%20requests%2C%20and%20it's%20Microsoft's%20intention%20to%20keep%20this%20traffic%20secure--%20but%20I%20every%20time%20I%20think%20about%20this%20patch%2Fchange%20I%20feel%20it's%20going%20to%20be%20an%20unmitigated%20disaster%20for%20companies%2C%20schools%20and%20organizations%20which%20don't%20have%20the%20expertise%20or%20haven't%20read%20the%20advisory.%20I%20have%20a%20good%20working%20knowledge%20of%20several%20small-to-large%20companies%20who%20have%20countless%20third%20party%20applications%20and%20homegrown%20apps%20that%20utilize%20vanilla%20LDAP%20authentication%20which%20would%20break%20overnight%20after%20this%20March%20patch.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20step%20pretty%20lightly%20where%20DCs%20are%20concerned.%20It%20would%20be%20nice%20to%20have%20comprehensive%20explanations%20and%20documentation%20as%20to%20these%20settings%20before%20Microsoft%20simply%20releases%20it%20to%20the%20wild.%20In%202%20months%20we're%20going%20to%20be%20installing%20these%20patches%20to%20maintain%20compliance%20and%20for%20a%20lot%20of%20people%20that's%20only%201-2%20maintenance%20windows%20of%20availability%20of%20which%20to%20implement%20change.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20had%20an%20advisory%20ticket%20open%20with%20the%20Directory%20Services%20support%20and%20for%202-3%20days%20I've%20only%20gotten%20the%20response%2C%20%22We%20have%20very%20little%20information%20on%20this%20internally%2C%20I'm%20researching%20this%20for%20you.%22%20This%20seems%20like%20the%20sort%20of%20thing%20you'd%20be%20training%20and%20prepared%20for%20well%20in%20advance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101447%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101447%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F512281%22%20target%3D%22_blank%22%3E%40JMHahn%3C%2FA%3Every%20good%20words%20!%20It%20is%20very%20confusing%20changing%20the%20interpretation%20of%20a%20registry%20key%20with%20an%20update%2C%20which%20will%20result%20in%20a%20wrong%20description%20in%20the%20Group%20Policy%20explanation.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101479%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F512281%22%20target%3D%22_blank%22%3E%40JMHahn%3C%2FA%3EWe%20have%20several%20hundreds%20of%20domains%2C%20with%20some%20customers%20having%20hundreds%20of%20third-party%20applications%2C%20many%20of%20which%20are%20using%20LDAP.%20I%20did%20monitoring%20for%20one%20of%20the%20customer%20and%20have%20got%20the%20following%20list%20of%20applications%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAirwatch%3CBR%20%2F%3EJira%3C%2FP%3E%3CP%3EWebproxy%3C%2FP%3E%3CP%3EApp%20for%202-factor%20authentication%3C%2FP%3E%3CP%3EVPN%3C%2FP%3E%3CP%3EIdentity%20synchronization%20software%3C%2FP%3E%3CP%3ESoftware%20used%20by%20Sales%3C%2FP%3E%3CP%3ECalendar%20synchronization%3C%2FP%3E%3CP%3EJava%20application%2C%20which%20is%20using%20custom%20AD%20plugin%3C%2FP%3E%3CP%3ELinux%20servers%2C%20integrated%20with%20AD%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20of%20course%2C%20there%20were%20some%20traffic%20that%20wasn't%20immediately%20possible%20to%20connect%20with%20application%2C%20for%20which%20further%20analysis%20is%20necessary.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20agree%2C%20this%20is%20going%20to%20be%20a%20disaster.%20I%20really%20hope%20Microsoft%20has%20a%20really%20strong%20reason%20for%20doing%20such%20change%2C%20which%20they%20will%20reveal%20later.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101611%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101611%22%20slang%3D%22en-US%22%3E%3CP%3EDon't%20know%20why%2C%20but%20the%20post%20from%2001-08-2020%20is%20gone.%3C%2FP%3E%3CP%3EMy%20summary%20and%20suggestion%20for%20this%20issue%20(check%20it%20yourself%20!)%3B%26nbsp%3B%3CFONT%3EI%20hope%20I%20have%20described%20everything%20correctly%20and%20others%20can%20use%20it%20as%20a%20template%20to%20deal%20with%20this%20topic.%20Good%20luck%20in%20march.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3EIgnore%20LDAP%20channel%20binding%20token%20(LDAP%20CBT)%20stuff%3A%20The%20setting%20in%20March%202020%20update%20will%20be%20%22compatibility%20mode%22.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWith%20March%202020%20update%2C%20the%20operating%20system%20itself%20will%20change%20the%20interpretation%20of%20the%20%22ldapserverintegrity%22%20registry%20key%20value.%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3EWithout%20the%20March%202020%20update%2C%20%22not%20defined%22%2C%20%220%22%20and%20%221%22%20means%20%22Negotiate%22%3B%20%222%22%20means%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWith%20the%20March%202020%20update%2C%20%220%22%20means%20%22Negotiate%22%3B%20%22not%20defined%22%2C%20%221%22%20and%20%222%22%20means%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%220%22%20can%20not%20be%20set%20via%20GPO%20security%20setting%20%22LDAP%20server%20signing%20requirements%22%20(%22None%22%20%3D%20%221%22%2C%20%22Require%20signing%22%20%3D%202)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EIf%20LDAP%20server%20is%20set%20to%20require%20signing%2C%20the%20LDAP%20client%20setting%20of%20all%20clients%20and%20the%20DCs%20itself%20must%20be%20set%20to%20require%20signing.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3E%3CSPAN%3EWith%20rsop.msc%20or%20gpresult%2C%20check%20the%20DC%20effective%20settings%20for%20%22Computer%20Configuration%2FWindows%20Settings%2FSecurity%20Settings%2FLocal%20Policies%2FSecurity%20Options%2FDomain%20Controller%3A%20LDAP%20server%20signing%20requirements%22%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3EIf%20%22Require%20signature%22%20%3D%26gt%3B%20all%20done%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EIf%20%22None%22%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3E%26nbsp%3BStart%20analyzing%20LDAP%20clients%20NOW%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3ECheck%20DC%20Eventlogs%20for%20Event%20ID%202887%20(once%20per%2024%20hours)%3B%20it%20indicates%20that%20there%20are%20unsigned%20requests%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EStart%20with%20temporary%20enabling%20NTDS%2FDiagnostics%3A%20LDAP%20Interface%20Events%3ADWORD%3A2%20on%20a%20few%20DCs%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EUse%20Powershell%20to%20analyze%20the%20DC%20events%202889%20(see%20Alans%20post%20%E2%80%8E12-16-2019%2005%3A59%20AM%20as%20template)%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3E%3CSPAN%3ECreate%20a%20new%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%20with%20Preference%2FRegistry%20%22ldapserverintegrity%22%20set%20to%20%220%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ELink%20the%20new%20GPO%20to%20the%20OU%20%22Domain%20Controllers%22%20(or%20the%20OU%20where%20the%20DC%20computer%20objects%20reside)%20with%20Link%20Order%20%221%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EDo%20%22gpupdate%20%2Fforce%22%20two%20times%20on%20a%20DC%20and%20check%20that%20the%20new%20GPO%20is%20applied%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20that%20all%20DCs%20has%20%22ldapserverintegrity%22%20set%20to%20%220%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3D%3D%26gt%3B%20prepared%20for%20the%20March%202020%20update%2C%20Negotiate%20enabled%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3CLI%3E%3CSPAN%3EAfter%20March%202020%20update%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3ECheck%20to%20update%20the%20Central%20Store%3B%20LDAP%20CBT%20settings%20may%20become%20available%20for%20configuring%20in%20GPMC%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3Edecide%20whether%20LDAP%20CBT%20compatibility%20is%20secure%20enough%3B%20otherwise%20use%20LDAP%20Interface%20Events%20to%20analyze%20DS%20events%203039%2C3040%20and%20take%20further%20action%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3E%3CSPAN%3EIf%20ready%20to%20enable%20LDAP%20signing%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3ECheck%20that%20the%20original%20DDCP%20(or%20your%20own%20DDCP)%20has%20%22LDAP%20server%20signing%20requirements%22%20set%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20that%20the%20original%20DDCP%20(or%20your%20own%20DDCP)%20has%20%22Network%20security%3A%20LDAP%20client%20signing%20requirements%22%20set%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EConfigure%20GPOs%20for%20Domain%20members%20to%20%22Require%20signing%22%20(Network%20security%3A%20LDAP%20client%20signing%20requirements)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20that%20all%20clients%20works%20wih%20LDAP%20signing%20(Event%202887)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EDisable%20the%20link%20for%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EDo%20a%20%22gpupdate%20%2Fforce%22%20on%20an%20DC%20and%20check%20that%20the%20LDAP%20server%20signing%20has%20changed%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20that%20all%20DCs%20has%20%22ldapserverintegrity%22%20set%20to%20%222%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20for%20problems%3B%20rollback%20with%20linking%20the%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%20with%20Link%20Order%20%221%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EAfter%20a%20couple%20of%20weeks%2C%20if%20all%20works%20fine%2C%20delete%20the%20GPO%26nbsp%3B%20%22DC%20Pref%20LDAP%20Signing%20None%22%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDon't%20forget%20AD%20LDS%3A%20LDAP%20server%20signing%20have%20to%20be%20configured%20for%20every%20instance%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FA%3E)%20By%20default%2C%20for%20Active%20Directory%20Lightweight%20Directory%20Services%20(AD%20LDS)%2C%20the%20registry%20key%20is%20not%20available.%20Therefore%2C%20you%20must%20create%20a%20LDAPServerIntegrity%20registry%20entry%20of%20the%20REG_DWORD%20type%20under%20the%20following%20registry%20subkey%3A%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CINSTANCENAME%3E%5CParameters%3C%2FINSTANCENAME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103708%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103708%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECan%20you%20please%20clarify%20what%20effect%20this%20update%20will%20have%20on%20Ldap%20CLIENT%20signing%20(LdapClientIntegrity)%2C%20specifically%20if%20it's%20currently%20set%20to%20negotiate%3F%20We%20are%20successfully%26nbsp%3Busing%20the%20following%20settings%20without%20any%20problems%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3E%3CU%3EDCs%3C%2FU%3E%26nbsp%3B%3D%20policy%20%22%3C%2FSPAN%3E%3CSPAN%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%22%20%3D%3C%2FSPAN%3ERequire%20Signing%26nbsp%3B%20(%3CSPAN%3ELdapServerIntegrity%20%3D2)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3CU%3EServers%2FClients%3C%2FU%3E%26nbsp%3B%3D%20policy%20%22%3C%2FSPAN%3E%3CSPAN%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirements%20%3D%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%3E%26nbsp%3BNegotiate%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%20(LdapClientIntegrity%20%3D%201)%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EIt%20seems%20based%20on%20the%20information%20provided%20that%20the%20update%20will%20only%20change%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ELdapServerIntegrity%20and%26nbsp%3B%3C%2FSPAN%3E%3CFONT%20size%3D%223%22%3ELdapEnforceChannelBinding.%20But%20it%20is%20still%20mentioned%20to%20change%26nbsp%3B%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20size%3D%223%22%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirement%20to%20Require%20Signing.%20Is%20this%20actually%20necessary%20since%20client%20negotiation%20(which%20still%20provides%20LDAP%20signing)%20is%20the%20default%20anyways%20on%20modern%20Windows%20versions%3F%20Will%20we%20see%20any%20impact%20from%20this%20update%20for%20Windows%20clients%20if%20we%20keep%20LDAP%20server%20signing%20to%20required%20and%20LDAP%20client%20signing%20to%20negotiate%3F%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1118721%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1118721%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3ECould%20you%20please%20share%20some%20more%20information%20on%20the%20coming%20update%2C%20so%20that%20we%20can%20prepare%20in%20a%20better%20way%3F%3C%2FP%3E%3CUL%3E%3CLI%3EWill%20this%20update%20apply%20for%202008%20Server%20family%3F%20It%20is%20now%20outside%20the%20extended%20support%20cycle%2C%20so%20are%20you%20planning%20to%20skip%20it%20or%20not%3F%3C%2FLI%3E%3CLI%3EHow%20this%20update%20will%20be%20distributed%20to%20different%20systems%3F%20E.g.%20for%20Server%202016%20and%202019%2C%20will%20it%20be%20a%20part%20of%20monthly%20cumulative%20patch%2C%20or%20it%20will%20be%20a%20separate%20update%3F%20Same%20for%202012%20and%20eventually%202008%20-%20will%20it%20be%20a%20separate%20patch%2C%20or%20part%20of%20roll-up%3F%3C%2FLI%3E%3CLI%3EHow%20big%20are%20chances%20that%20Microsoft%20will%20reconsider%20changing%20default%20behavior%20of%20LDAP%20Server%20Signing%3F%20We%20are%20starting%20a%20huge%20project%20to%20make%20sure%20our%20customers%20don't%20get%20in%20trouble%20in%20March%2C%20but%20we%20all%20know%20that%20there%20are%20a%20lot%20of%20poorly%20maintained%20environments%2C%20which%20will%20have%20issues.%20For%20many%20people%2C%20it's%20hard%20to%20believe%20that%20MS%20will%20really%20enforce%20signing%2C%20as%20this%20could%20have%20huge%20impact%20on%20so%20many%20systems.%20And%20yes%2C%20of%20course%2C%20signing%20had%20to%20be%20enabled%20long%20time%20ago%2C%20but%20in%20many%20cases%2C%20there%20are%20valid%20reasons%20why%20it%20hasn't%20been%20done%20yet.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1118778%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1118778%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20exactly%20is%20LDAP%20channel%20binding.%20I've%20yet%20to%20see%20an%20actual%20technical%20description%20of%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119412%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119412%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526059%22%20target%3D%22_blank%22%3E%40jpenning%3C%2FA%3E%26nbsp%3Bgood%20question%2C%20first%20it%20relates%20to%20TLS.%3C%2FP%3E%0A%3CP%3ETo%20make%20it%20simple%2C%20an%20example%20could%20be%20the%20following%3A%3C%2FP%3E%0A%3CP%3EClient-A%20connects%20to%20Server-A%20via%20TLS%20%22TLS%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20connection%22.%20Without%20CBT%20there%20is%20a%20chance%20of%20man-in-the-middle%20grabbing%20this%20session%20and%20using%20%22TLS%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20connection%22%20to%20Server-A%20successfully.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20CBT%20information%20sent%20in%20the%20request%2C%20Client-A%20connects%20to%20Server-A%20via%20TLS%20%22TLS%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20connection%22%2C%20man-in-the-middle%20grabs%20the%20session%20and%20makes%20connection%20to%20Server-B%20but%20this%20time%20it%20will%20be%20a%26nbsp%3B%22TLS%20%3CSTRONG%3E2%3C%2FSTRONG%3E%20connection%22%20which%20will%20fail%20as%20Server-A%20expects%26nbsp%3B%22TLS%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20connection%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40%20PFE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-921536%22%20slang%3D%22en-US%22%3ELDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921536%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EHi%20All%2C%20Alan%20here%20again%2C%20this%20time%20trying%20to%20give%20some%20details%20on%20these%20two%20settings%20that%20will%20become%20active%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Efrom%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3BMarch%202020%20and%20they%20are%20creating%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Esome%20misunderstandings%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELet%E2%80%99s%20start%20saying%20that%20since%20Windows%20Server%202008%20we%20have%20events%202886%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C2887%2C2888%20and%202889%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Blogged%20every%2024%20hours%20on%20the%20Directory%20Services%20log%20that%20tells%20us%20we%20are%20using%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethese%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eunsecure%20protocols%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22text-align%3A%20center%3B%22%3E%3CEM%3EThis%20information%20is%20preliminary%20and%20is%20subject%20to%20revision.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EThis%20article%20is%20a%20living%20document%2C%20written%20%3C%2FEM%3E%3CEM%3Eover%20time%20and%20is%20subject%20to%20change.%20When%20guidance%20presented%20in%26nbsp%3B%3C%2FEM%3E%3CEM%3Ethis%20article%20is%20in%20direct%20conflict%20with%20official%20documentation%2C%26nbsp%3B%3C%2FEM%3E%3CEM%3Eone%20must%20defer%20to%20official%20documentation.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%3CSTRONG%3EAUDITING%20LDAP%20Signing%3C%2FSTRONG%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2886%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ET%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eelling%20us%20that%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eour%20DCs%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eare%20not%20r%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eequir%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eing%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BLDAP%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bsigning%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941829(v%3Dws.10)%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941829(v%3Dws.10)%3Fredirectedfrom%3DMSDN%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2887%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(already%20on%20by%20default%20and%20logged%20every%2024%20hours)%3C%2FSPAN%3E%3C%2FI%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ET%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eelling%20us%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehow%20many%20such%20bind%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Boccurred%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941856(v%3Dws.10)%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941856(v%3Dws.10)%3Fredirectedfrom%3DMSDN%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20suggested%20path%20to%20resolve%20this%20error%20is%20do%20modify%20the%20registry%20of%20the%20DC%20to%20allow%20it%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elog%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthose%20failures.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERegistry%20to%20add%3A%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3C%2FI%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EReg%20Add%20HKLM%5CSYSTEM%5C%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECurrentControlSet%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6..%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20the%20registry%20key%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2216%20LDAP%20Interface%20Events%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%20configured%20we%20will%20have%20event%202889%20telling%20us%20who%20is%20using%20this%20type%20of%20unsecure%20protocol%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2889%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%20Event%20ID%20you%20want%20to%20check%20in%20order%20to%20understand%20which%20IP%20Address%20and%20Accounts%20are%20making%20these%20requests.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20you%20open%20Event%202889%20in%20Details%20you%20will%20have%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%3E%3CSTRONG%3EClient%20IP%20address%3C%2FSTRONG%3E%3A%20%E2%80%9CValue%E2%80%9D%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%3CSTRONG%3EIdentity%20the%20client%20attempted%20to%20authenticate%20as%3C%2FSTRONG%3E%3A%20%E2%80%9CValue%E2%80%9D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2888%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20the%20directory%20server%20is%20configured%20to%20reject%20unsigned%20SASL%20LDAP%20binds%20or%20LDAP%20simple%20binds%20over%20a%20non-SSL%2FTLS%20connection%2C%20the%20directory%20server%20will%20log%20a%20summary%20event%202888%20one%20time%20every%2024%20hours%20when%20such%20bind%20attempts%20occur.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAUDITING%20LDAP%20Channel%20Binding%20%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELogging%20of%20LDAP%20Binds%20Not%20Using%20CBT%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%20these%20events%20will%20only%20be%20logged%20once%20the%20update%20is%20installed%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESame%20registry%20key%20as%20for%20LDAP%20Signing%2C%20so%26nbsp%3B%3CI%3E%2216%20LDAP%20Interface%20Events%20%3D%202%3C%2FI%3E%3CI%3E%E2%80%AF%22%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CI%3EEventID%203039%20Informational%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%3CI%3EEventID%203040%20Informational%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSTRONG%3ECHANGES%20%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CU%3E%3CSTRONG%3EVery%20important%20NOTE%3A%3C%2FSTRONG%3E%3C%2FU%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20need%20to%20have%20this%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECVE-2017-8563%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Einstalled%20on%20your%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eclients%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eas%20a%20prerequisite%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bbefore%20enabling%20LDAP%20Channel%20Binding%20and%20LDAP%20Integrity%20on%20DCs%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559738%26quot%3B%3A60%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A324%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559738%26quot%3B%3A60%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A324%7D%22%3EADV190023%20%7C%20Microsoft%20Guidance%20for%20Enabling%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECVE-2017-8563%20%7C%20Windows%20Elevation%20of%20Privilege%20Vulnerability%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E(REQUIRED)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559738%26quot%3B%3A60%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A324%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EAn%20elevation%20of%20privilege%20vulnerability%20exists%20in%20Microsoft%20Windows%20when%20a%20man-in-the-middle%20attacker%20is%20able%20to%20successfully%20forward%20an%20authentication%20request%20to%20a%20Windows%20LDAP%20server%2C%20such%20as%20a%20system%20running%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20or%20Active%20Directory%20Lightweight%20Directory%20Services%20(AD%20LDS)%2C%20which%20has%20been%20configured%20to%20require%20signing%20or%20sealing%20on%20incoming%20connections.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20update%20addresses%20this%20vulnerability%20by%20incorporating%20support%20for%20Extended%20Protection%20for%20Authentication%20security%20feature%2C%20which%20allows%20the%20LDAP%20server%20to%20detect%20and%20block%20such%20forwarded%20authentication%20requests%20once%20enabled.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMain%20thing%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Epoint%20out%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewhich%20values%20will%20these%20settings%20have%20once%20the%20March%202020%20update%20rolls%20out%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHere%20they%20are%3A%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELDAP%20Channel%20Binding%20%3D%201%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B(after%20update)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAD%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B-%20HKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CServices%5CNTDS%5CParameters%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EADLDS%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B-%20HKEY_LOCAL_MACHINE%5CSYSTEM%5C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ECurrentControlSet%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5CServices%5C%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CLDS%20instance%3D%22%22%20name%3D%22%22%3E%3C%2FLDS%3E%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5CParameters%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CU%3E%3CSTRONG%3Evalue%3A%3C%2FSTRONG%3E%E2%80%AF%3CSTRONG%3E1%3C%2FSTRONG%3E%3C%2FU%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFindicates%E2%80%AF%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3Eenabled%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20when%20supported.%20All%20clients%20that%20are%20running%20on%20a%20version%20of%20Windows%20that%20has%20been%20updated%20to%20support%20channel%20binding%20tokens%20(CBT)%20must%20provide%20channel%20binding%20information%20to%20the%20server.%20Clients%20that%20are%20running%20a%20version%20of%20Windows%20that%20has%20not%20been%20updated%20to%20support%20CBT%20do%20not%20have%20to%20do%20so.%20This%20is%20an%20intermediate%20option%20that%20allows%20for%20application%20compatibility.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20aria-setsize%3D%22-1%22%20data-aria-level%3D%222%22%20data-aria-posinset%3D%221%22%20data-listid%3D%2220%22%20data-font%3D%22Courier%20New%22%20data-leveltext%3D%22o%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELDAP%20Server%20Integrity%20(signing)%20%3D%20enabled%20by%20default%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B(after%20update)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20want%20to%20note%20that%20this%20article%20shows%20two%20sections%20related%20to%26nbsp%3B%3CU%3Eserver%3C%2FU%3E%20and%20%3CU%3Eclient%2C%3C%2FU%3E%26nbsp%3Bthat%20need%20to%20be%20configured%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20How%20to%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eserver%20LDAP%20signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequirement%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A1440%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A480%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20How%20to%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eclient%20LDAP%20signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequirement%20through%20a%20domain%20Group%20Policy%20Object%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A1440%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A480%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EImportant%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ENotes%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20Before%20you%20enable%20this%20setting%20on%20a%20Domain%20Controller%2C%20clients%20must%20install%20the%20security%20update%20that%20is%20described%20in%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2017-8563%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%20Otherwise%2C%20compatibility%20issues%20may%20arise%2C%20and%20LDAP%20authentication%20requests%20over%20SSL%2FTLS%20that%20previously%20worked%20may%20no%20longer%20work.%20By%20default%2C%20this%20setting%20is%20disabled.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20The%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBindings%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bregistry%20entry%20must%20be%20explicitly%20created.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20LDAP%20server%20responds%20dynamically%20to%20changes%20to%20this%20registry%20entry.%20Therefore%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eyou%20do%20not%20have%20to%20restart%20the%20computer%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bafter%20you%20apply%20the%20registry%20change.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ETo%20maximize%20compatibility%20with%20older%20operating%20system%20versions%20(Windows%20Server%202008%20and%20earlier%20versions)%2C%20we%20recommend%20that%20you%20enable%20this%20setting%20with%20a%20value%20of%E2%80%AF%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E1%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CFONT%20color%3D%22%23ff0000%22%3ETo%20explicitly%20disable%20the%20setting%3C%2FFONT%3E%2C%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBinding%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bentry%20to%E2%80%AF%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E0%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AF(zero).%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EWindows%20Server%202008%20and%20older%20systems%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequire%20that%20Microsoft%20Security%20Advisory%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Flibrary%2Fsecurity%2F973811%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E973811%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20available%20in%20%E2%80%9CKB%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F968389%2Fextended-protection-for-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E968389%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFExtended%20Protection%20for%20Authentication%E2%80%9D%2C%20be%20installed%20before%20installing%20CVE-2017-8563.%E2%80%AF%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EIf%20you%20install%E2%80%AFCVE-2017-8563%20without%20KB%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F968389%2Fextended-protection-for-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E968389%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFon%20a%20Domain%20controller%20or%20AD%20LDS%20instance%2C%20all%20LDAPS%20connections%20will%20fail%20with%20LDAP%20error%2081%20-%20LDAP_SERVER_DOWN.%20In%20addition%2C%E2%80%AFwe%20strongly%20recommended%20that%20you%20also%20review%20and%20install%20the%20fixes%20documented%20in%20the%20Known%20Issues%20section%20of%20KB%E2%80%AF968389.%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUPDATE%3C%2FSTRONG%3E%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3EReceiving%20many%20questions%20on%20how%20to%20disable%20this%20behavior%20and%20seems%20like%20it's%20still%20not%20quite%20understood%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3ETHE%20ONLY%20WAY%20TO%20DISABLE%20LDAP%20SIGNING%20is%20via%20REGISTRY%20(%3CSTRONG%3ELDAPServerIntegrity%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3D%200).%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3EIf%20you%20set%20via%20GPO%2C%20for%20eample%20configuring%20None%2C%20it%20will%20be%20changed%20by%20update%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161396i57E200BB91EB85AE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELDAP%20Signing%20Group%20Policy%20-%20No%20Downtime%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAfter%20installing%20ADV190023%20both%20settings%20(even%20None%20and%20Not%20Defined)%20will%20enforce%20%3CSTRONG%3ERequire%20Signature%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23ff0000%22%3EOnly%200%20(OFF)%20will%20not%20enforce%20Require%20Signature%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%20(not%20recommended%2C%20but%20if%20you%20really%20want%20to%20stick%20with%20disabling)%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20means%20that%20value%20of%20%220%22%20in%20registry%20means%20%22OFF%22%20and%20this%20also%20means%20that%20the%20update%20%3CFONT%20color%3D%22%23ff0000%22%3E%3CU%3Ewill%20not%20change%20the%20setting%20and%20not%20enforce%20Require%20Signing%3C%2FU%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EDC%3A%26nbsp%3BHKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CSTRONG%3ENTDS%3C%2FSTRONG%3E%5CParameters%26nbsp%3B%3CSTRONG%3E%26nbsp%3B--%26gt%3B%20LDAPServerIntegrity%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3D%200%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELDAP%20Signing%20Group%20Policy%20-%20Behavior%20Change%20Example%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161400i8CECEDAC014C3567%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EIf%20we%20don%E2%80%99t%20want%20to%20wait%20for%20the%20March%202020%20update%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnable%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBinding%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3D%201%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B(must%20have%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2017-8563%3C%2FA%3E)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnable%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ELDAP%20Server%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CU%3EDCs%3C%2FU%3E%26nbsp%3B%3D%20policy%20%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%22%20%3D%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BRequire%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CU%3EServers%2FClients%3C%2FU%3E%20%3D%20policy%20%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirements%20%3D%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BRequire%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20aria-level%3D%221%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESummarizing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESummarizing%20a%20little%20this%20long%20article%20we%20can%20state%20the%20following%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EDirectory%20Services%20Log%20is%20our%20friend%3A%20Event%20IDs%202886%2C2887%2C2888%2C2889%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EOn%20Clients%20we%20need%20to%20have%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bas%20a%20prerequisite%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2017-8563%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%E2%80%9CExtended%20Protection%20for%20Authentication%E2%80%9D%20before%20we%20enable%20LDAP%20CBT%20and%20LDAP%20Signing%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EDCs%20--%26gt%3B%20Enable%20LDAP%20Signing%20and%20LDAP%20CBT%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHope%20this%20helps%20understanding%20how%20these%20settings%20work%20and%20how%20they%20will%20be%20configured%20after%20the%20March%202020%20update%2C%20which%20can%20affect%20your%20LDAP%20Authentication%20if%20you%20don%E2%80%99t%20make%20any%20changes.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERegards%20to%20All%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlan%20%40%20PFE%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-921536%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F146785iAB1D8DD1B1FD285A%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20alt%3D%22Micro%20Services_White.gif%22%20title%3D%22Micro%20Services_White.gif%22%20%2F%3E%3C%2FSPAN%3EUpcoming%20March%202020%20updates%20will%20change%20default%20behavior%20of%20LDAP%20CBT%20and%20Signing%20(integrity).%20Want%20to%20know%20more%3F%20Just%20go%20through%20this%20article.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-921536%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ealanlapietra%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119765%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119765%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3ESo%20is%20LDAP%20channel%20binding%20the%20same%20thing%20as%20connecting%20via%20LDAPS%20and%20port%20636%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119822%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119822%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526829%22%20target%3D%22_blank%22%3E%40AndersPalsson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELDAP%20channel%20binding%20the%20same%20thing%20as%20connecting%20via%20LDAPS%20and%20port%20636%3F%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENo%2C%20but%20CBT%20is%20related%20to%20TLS%20connection.%20It's%20some%20data%20going%20through%20the%20TLS%20connection%20helping%20against%20MIM%20attacks%26nbsp%3B%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119847%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119847%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20explanation%20-%20I%20appreciate%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20particular%20clients%20in%20my%20environment%20that%20authenticate%20against%20AD%20with%20NTLM%20-%20and%20these%20requests%20are%20being%26nbsp%3B%3CSPAN%3Elogged%20on%20my%20DCs%20as%20event%202889%20(%3C%2FSPAN%3E%3CSTRONG%3EThe%20following%20client%20performed%20a%20SASL%20(Negotiate%2FKerberos%2FNTLM%2FDigest)%20LDAP%20bind%20without%20requesting%20signing%20(integrity%20verification)%2C%20or%20performed%20a%20simple%20bind%20over%20a%20clear%20text%20(non-SSL%2FTLS-encrypted)%20LDAP%20connection.%3C%2FSTRONG%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETheoretically%2C%20how%20could%20this%20be%20addressed%20on%20the%20client%20side%3F%20Is%20NTLM%20%22signing%22%20even%20a%20thing%20that%20exists%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119959%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119959%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20the%20KB%20number%20already%20known%20for%20that%20March%202020%20update%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1120065%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120065%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526059%22%20target%3D%22_blank%22%3E%40jpenning%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20it%20is%20possible%20to%20use%20NTLM%20while%20authenticating%20the%20LDAP%20Bind%20and%20have%20signing%20afterwards.%20You%20can%20try%20it%20with%20ldp.exe%20tool%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166278i986CF699608B6123%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAt%20the%20same%20time%2C%20simple%20ldap%20bind%20doesn't%20work%2C%20which%20proves%20that%20server%20is%20requiring%20signing%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166280i2D141C0D64AD84B1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBoth%20tests%20done%20with%20connection%20to%20port%20389.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1120146%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120146%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BThanks%20for%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EForgive%20my%20ignorance%2C%20I%20figured%20out%20how%20to%20test%20the%20simple%20bind%20with%20the%20LDP%20tool%20-%20but%20can't%20figure%20out%20how%20to%20test%20with%20NTLM%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1120164%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120164%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526059%22%20target%3D%22_blank%22%3E%40jpenning%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20Bind%20dialogue%2C%20you%20choose%20Advanced%2C%20press%20Advanced%20button%20and%20choose%20the%20authentication%20protocol%20you%20want%20to%20use%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166283i69E19A5D9AECB754%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1121707%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1121707%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526059%22%20target%3D%22_blank%22%3E%40jpenning%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20like%20ldp.exe%20doesn't%20have%20a%20setting%20that%20controls%20negotiate%20for%20LDAP%20Signing%20and%20Channel%20Token%20binding.%20Therefore%2C%20you%20have%20to%20use%20registry%20to%20enable%20or%20disable%20Signing%20and%20Integrity.%20To%20disable%20LDAP%20Signing%20negotiation%20for%20the%20client%2C%20configure%20key%20clientldapsecurity%3D0%20under%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHKLM%5CSystem%5CCurrentControlSet%5CServices%5Cldap%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20the%20client%20where%20ldp.exe%20runs.%20LDP.exe%20needs%20to%20be%20restarted%20after%20that%20and%20will%20not%20request%20signing%20for%20any%20ldap%20attempts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20confirm%20that%20signing%20is%20not%20used%20by%20capturing%20network%20traffic%2C%20for%20example%20with%20Wireshark.%20Here's%20how%20it%20looks%20like%20when%20you%20expand%20the%20LDAP%20protocol%20field%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166471i1771999B77134278%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWhen%20it%20is%20set%20to%200%2C%20client%20is%20not%20negotiating%20signing%20and%20you%20can%20see%20the%20following%20error%20in%20bindResponce%20packet%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166472i760B5785C9E9DF6F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20is%20what%20you%20will%20see%20in%20ldp%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166473i0083DB05BD9212B5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_3.png%22%20title%3D%22clipboard_image_3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1144450%22%20slang%3D%22fr-FR%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%20Requirements%20-%20March%20update%20default%20behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1144450%22%20slang%3D%22fr-FR%22%3E%3CP%3EMaybe%20I'm%20a%20bit%20late%20but%20I'm%20discovering%20this%20today.%3C%2FP%3E%3CP%3EEven%20though%20I%20think%20we%20can%20manage%20to%20roll%20the%20changes%20to%20our%20customers%20if%20we%20dedicate%20all%20our%20resources%20to%20it%20in%20the%20next%20month%20(thank%20you%20for%20that)%2C%20I%20can't%20stress%20enough%20that%20this%20is%20going%20to%20be%20a%20worldwide%20LDAPocalypse%20for%20the%20vast%20majority%20of%20sysadmins%20that%20aren't%20aware%20of%20this%20stealthy%20critical%20update.%3C%2FP%3E%3CP%3ESomething%20like%20this%20needs%20years%20of%20planning%2C%20not%20months%2C%20and%20it%20can't%20be%20forced%20like%20that%20without%20proper%20communication.%3C%2FP%3E%3CP%3EPlease%2C%20please%20don't%20push%20this%20into%20production.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1120260%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120260%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BGot%20it%20-%20thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20test%20scenario%2C%20what%20exactly%20made%20it%20a%20'signed'%20NTLM%20request%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20use%20LDP%20to%20test%20an%20NTLM%20attempt%20that%20is%20not%20requesting%20signing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hi All, Alan here again, this time trying to give some details on these two settings that are creating quite some confusion.

I have to point out that at first these changes were scheduled to become active with upcoming March 2020 update, but some improvements were made and now March 2020 update will only add some new functionalities and make no changes, giving Customers more time to fix issues.

Be aware that recommendation is still to Audit and Fix in order to be ready for any new update scheduled for mid/late 2020,  that will make the changes 

 

Let’s start saying that since Windows Server 2008 we have events 2886,2887,2888 and 2889 logged every 24 hours on the Directory Services log that tells us we are using these unsecure protocols 

 

This information is preliminary and is subject to revision.
This article is a living document, written over time and is subject to change. When guidance presented in this article is in direct conflict with official documentation, one must defer to official documentation.

 

 

AUDITING LDAP Signing 

 

To enable auditing we need to add the following registry key on each Domain Controller:

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 

 

Once we add the key, no reboot required, the system will start logging the following event (Directory services log):

 

Event ID 2889

This is the Event ID you want to check in order to understand which IP Addresses and Accounts are making these requests.

Once you open Event 2889 in Details you will have

Client IP address: “Value”
Identity the client attempted to authenticate as: “Value”

 

You will also find these other events related to LDAP:

 

2886 

Telling us that our DCs are not requiring LDAP signing 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd... 

  

2887 (already on by default and logged every 24 hours)

Telling us how many such binds occurred 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd... 

The suggested path to resolve this error is do modify the registry of the DC to allow it log those failures. 

 

2888 

If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24 hours when such bind attempts occur. 

 

 

***NEW NOTE***

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

 

Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.

A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.

Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default.

 

 

AUDITING LDAP Channel Binding

 

Logging of LDAP Binds Not Using CBT

NOTE: these events will only be logged once the update is installed

Same registry key as for LDAP Signing, so "16 LDAP Interface Events = 2 "

 

EventID 3039 Informational

Severity=Informational
Language=English
The following client performed an LDAP bind over SSL/TLS and failed the channel binding token validation. Either the client did not pass channel binding tokens to the server, or the channel bindings did not match.
Client IP address:%n%1
Identity the client attempted to authenticate as:%n%2
For more details and information on channel binding token validation for LDAPS, please see https://go.microsoft.com/fwlink/?linkid=2102405.

 

EventID 3040 Informational 

Severity=Warning
Language=English
During the previous 24 hours period, %1 unprotected LDAPS binds were performed. 
 
This directory server is not currently configured to enforce validation of Channel Binding Tokens. The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server.For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.

 

 

CHANGES OR NOT CHANGES  (March 2020 will not change any setting)

 

Very important NOTE: You need to have this CVE-2017-8563 installed on your clients as a prerequisite before enabling LDAP Channel Binding and LDAP Integrity on DCs 

 

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signinghttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

 

CVE-2017-8563 | Windows Elevation of Privilege Vulnerability (REQUIRED) 

An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully forward an authentication request to a Windows LDAP server, such as a system running Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which has been configured to require signing or sealing on incoming connections. 

The update addresses this vulnerability by incorporating support for Extended Protection for Authentication security feature, which allows the LDAP server to detect and block such forwarded authentication requests once enabled. 

 

Main thing to point out is which values will these settings have once the March 2020 update rolls out.

 

Here they are:  

 

  • LDAP Channel Binding = 1 (after update)

AD - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters 

ADLDS - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters 

value:1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility. 

 

Important Notes  

- Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled. 

- The LdapEnforceChannelBindings registry entry must be explicitly created.  

- LDAP server responds dynamically to changes to this registry entry. Therefore, you do not have to restart the computer after you apply the registry change. 

 
LDAP Channel Binding: To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1. 
 
To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero). 

Windows Server 2008 and older systems require that Microsoft Security Advisory 973811, available in “KB 968389 Extended Protection for Authentication”, be installed before installing CVE-2017-8563. 

If you install CVE-2017-8563 without KB 968389 on a Domain controller or AD LDS instance, all LDAPS connections will fail with LDAP error 81 - LDAP_SERVER_DOWN. In addition, we strongly recommended that you also review and install the fixes documented in the Known Issues section of KB 968389. 

 

 

LDAP SIGNING

  • LDAP Server Integrity (signing) = (March 2020 update will not change this setting)

https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008 

I want to note that this article shows two sections related to server and client, that need to be configured: 

- How to set the server LDAP signing requirement 

- How to set the client LDAP signing requirement through a domain Group Policy Object 

 

 

clipboard_image_0.png

 

LDAP Signing Group Policy - No Downtime

After installing ADV190023 both settings (Legacy and Not Defined) will enforce Require Signature

Only None = 0 (OFF) will not enforce Require Signature

 

NOTE (not recommended, but if you really want to stick with disabling):

This means that value of "0" in registry means "OFF" and this also means that the update will not change the setting and not enforce Require Signing

DC: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters  --> LDAPServerIntegrity = 0

 

 

 

LDAP Signing Group Policy - Behavior Change Example

clipboard_image_2.png

 

If we don’t want to wait for the March 2020 update 

  1. Enable LdapEnforceChannelBinding = 1  (must have CVE-2017-8563)
  2. Enable LDAP Server Signing  
    • DCs = policy "Domain controller: LDAP server signing requirements" = Require Signing 
    • Servers/Clients = policy "Network security: LDAP client signing requirements = Require Signing 

 

Summarizing 

Summarizing a little this long article we can state the following: 

  1. AUDIT - Directory Services Log is our friend: Event IDs 2889 
  2. On Clients/Servers we need to have as a prerequisite CVE-2017-8563 “Extended Protection for Authentication” before we enable LDAP CBT and LDAP Signing
  3. DCs --> Enable LDAP Signing and LDAP CBT

 

Hope this helps a little more understanding what these settings are all about. Remeber that main thing is to audit and make a list of which systems/accounts are making these unsecure binds.

Fix issues and make your environment ready for when new updates will default to the Require setting.

 

 

Regards to All 

 

Alan @ PFE 

169 Comments
Occasional Contributor
Could someone PLEASE help me understand something? If I set the server to require signing, but a client is offline and can't yet get the client gpo to set required signing - how in the world can it talk with a DC to get group policy to get the right setting? Is there some sort of special logic happening on a DC that allows a client to check/update group policy even if it isn't meeting the signing requirements???
Senior Member

What happens if the clients receive the January 2020 update before the domain controllers do? In other words, the DCs have a Registry entry of 0 or no entry at all.

Occasional Visitor
Thanks for this clarification!
As i understand, this should work for good Compatibility:
Before January 2020 Update:
- Install all required Updates
- All DCs: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
- All DCs: Monitor 2887 and 2889 Events
- All DCs: LDAP Channel Binding = 1
- Group Policy (Domain Level): Network security: LDAP client signing requirements: Require
- Group Policy (Domaincontrollers): Domain controller: LDAP server signing requirements: None
About Domain controller signing:
None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.
Caution
If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.
 
After January 2020 Update:
- Domain controller: LDAP server signing requirements: Require (from Update)
- All DCs: LDAP Channel Binding = 1 (from Update)
- All DCs: Monitor 2888 Events
 
If Problems:
- Domain controller: LDAP server signing requirements: None
- All DCs: Monitor 2887 and 2889 Events
 
If all should be good:
- Network security: LDAP client signing requirements: Require
- Domain controller: LDAP server signing requirements: Require
- LDAP Channel Binding = 2

Other suggestions?
Occasional Visitor

Does anyone know (for sure) if there will be the option to keep the enforcment disabled after the January patch?

If yes, then please provide source..

Microsoft
@ajm-b  

Domain controller: LDAP server signing requirements

This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: This policy is not defined, which has the same effect as None.

Caution

If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.

Notes

This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a domain controller.
If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. No Microsoft LDAP clients running Windows XP Professional or the Windows Server 2003 family use LDAP simple bind or LDAP simple bind through SSL to bind to directory service

 

Network security: LDAP client signing requirements

This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows:

None: The LDAP BIND request is issued with the options that are specified by the caller.
Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.
Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.

Caution

If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.

Note: This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller.

Default: Negotiate signing.

Microsoft
Microsoft

@GflBE

I would say

Before January 2020 Update:
- Install all required Updates
- All DCs: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
- All DCs: Monitor 2887 and 2889 Events
- All DCs: LDAP Channel Binding = 1 (Before Jan 2020 updates this setting is 0)
- Group Policy (Domain Level): Network security: LDAP client signing requirements: None (Before Jan 2020 updates this setting is Negotiate Signing)
- Group Policy (Domaincontrollers): Domain controller: LDAP server signing requirements: None

 

After January 2020 Update:
- Domain controller: LDAP server signing requirements: Require (from Update)
- All DCs: LDAP Channel Binding = 1 (from Update)
- All DCs: Monitor 2888 Events
 
If Problems:
- Domain controller: LDAP server signing requirements: None
- All DCs: Monitor 2887 and 2889 Events
 
If all should be good:
- Network security: LDAP client signing requirements: Require
- Domain controller: LDAP server signing requirements: Require
- LDAP Channel Binding = 2
Occasional Visitor

@Alan La Pietra 

Okay i have already seen that article and the registry values to accept non signed ldap requests. But to me it was not definetly clear if this option will still be available after the January update.

 

Can you confirm that it will be possible after the january update?

 

Thanks in advance!

Microsoft

@harle22 changes can be reverted, only changing default values

 

Senior Member

This article and the conversation that it has started has been very helpful, so thanks for that.

 

Fortunately I have a copy of our AD in a sandboxed environment for testing. The downside is that I only have Windows Clients and no third party apps to test there.

 

A couple of different points:

 

- In the test environment, I set LDAP Signing to be enforced on the Client side across the domain and set the DC GPO so that LDAP Signing is not required. This apparently did not cause any problems. It seems to contradict this, unless I'm misunderstanding it: "Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed."

 

- This concerns me: "If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. " Is this correct? If so, we can forget about 3rd party apps that need to use AD authentication. They all seem to rely on simple bind over SSL for LDAP security.

Occasional Visitor

@CFS3RD 

 

SASL Authentication 

 

Active Directory supports the optional use of integrity verification or encryption that is negotiated as part of the SASL authentication.
While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer encryption/integrity verification mechanisms on such a connection.
While this restriction is present in Active Directory on Windows 2000 Server operating system and later, versions prior to Windows Server 2008 operating system can fail to reject an LDAP bind
that is requesting SASL-layer encryption/integrity verification mechanisms when that bind request is sent on a SSL/TLS-protected connection.

Occasional Visitor

Can you confirm that it will be possible after the january update?

Real Web Point

Thanks in advance!

Senior Member
@Alan La Pietra The KB 968389 link doesn't work. Can you get this link corrected or point us to the correct verbiage? This is causing quite a bit of confusion of us as well. -Chad
Microsoft

@ChadWst sorry for that!!

2008 x64: https://www.microsoft.com/en-us/download/details.aspx?id=15109 

Check windows update catalog here: https://www.catalog.update.microsoft.com/Home.aspx

 

Also remember that Extended Support for 2008 R2 SP1 and 2008 SP2, will end on 1/14/2020

Search product lifecycle: https://support.microsoft.com/en-us/lifecycle/search?alpha=windows%20server%202008

 

Regards

 

Alan @ PFE

Microsoft
 
 
 
   
Yes it will

 

Senior Member

@Alan La Pietra-- Question about GPO's  if LDAP Signing GPO's are currently enforcing "Negotiate Signing" for  Client/Workstations and LDAP Signing set to "None" for Domain Controllers

 

The January update would have no impact right? The update would essentially set it in the registry to "Require Signing" but once Group Policy refreshed it would revert back to what is set in GPO for example "Negotiate" for Clients and "None" for Domain Controllers.

Senior Member

For our third party applications and our OSX member computers that use LDAP over SSL (port 636), will they continue to communicate successfully with the domain controllers set to Require Signing? It sounds like they will fail. In that case we'll never be able to set it to Require Signing.

 

Related, I assume that for Channel Binding as long as we leave the setting at 1, the third part apps will be okay, since that is leaving it unenforced. Is that correct?

Occasional Contributor
@CFS3RD, as I understand it "Require Signing" only has to do with non-TLS 389, it doesn't come into play with 636 binds. We have plenty of macs here - if you wanna hit me up in about a month I can probably tell you how it went.
Senior Member

ajm-b, yes that would be great. We'll be holding off on the domain controllers until February so I'll have some time. We do have a closed off test network and we may be able to test some Macs there.

 

I don't know too much about Macs and I'm never one who joins them to the domain, but I had been under the impression that they did use port 636 by default. It wasn't until I increased the LDAP logging to "2" that I saw how many of them were using 389. I'm not sure why, but you may want to do the same.

 

That said, I just found an article that allays the confusion which prompted me to ask the question in the first place:

http://setspn.blogspot.com/2016/09/domain-controller-ldap-server-signing.html

As the article says, there is bad wording in the MS article: "If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected." So I know from what it says in this Blogspot post, that LDAP over SSL/TLS should continue to work.

 

Senior Member

I was able to find a Mac that I put in our isolated test network. In that environment, I set the DC GPO for "Domain Controller: require signing", the domain GPO to "Network Client: require signing". On the DC GPO I created the Registry entry for "LDAP Channel Binding = 1". I successfully tested using LDP to make sure simple binds over 389 would fail and over 636 using SSL would succeed.

 

I had no problem joining the Mac (Mavericks, a fairly old OSX version) to the domain. I don't see an option for using secure LDAP or not, so it obviously used secure LDAP or it would have failed. Just wanted to get this out there for anyone who was concerned like me.

 

I still don't understand why a bunch of Macs are using non secure LDAP, but that's our problem to correct.

Senior Member

You can use ldp.exe to quickly troubleshoot difference settings.  It helped me solve an issue with a Cisco appliance today.

Senior Member

@Alan La Pietra

 

Excellent article - thank you.

This may be asking something obvious but do the updates amend the value of Domain controller: LDAP server signing requirements in the Default Domain Controllers Policy?

Microsoft

@Ricoli610

Correct

Signing Required

CBT = 1

 

you need to have "required" on both Domain Controller Policy and Domain Policy (or a policy that will apply to clients/servers).

Update will default to ldap signing required on DDCP

 

Alan @ PFE

 

 

Senior Member
@Alan La Pietra -- I have a question related to the CVE-2017-8563 Would it be safe to assume that if we have been applying the Monthly Roll-up (not the Security-Only) since Oct 2016 to all of our systems, that this would include the update needed? -Chad
Microsoft

@ChadWst

I assume you are correct, but you can double check

Please review the following: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563

 

Example "Windows 10 for 32-bit Systems" is contained in July 11, 2017 - KB4025338

Windows 10 for 32-bit Systems   4025338 Security Update

 

or for "Windows Server 2012 R2" - KB4025333

Windows Server 2012 R2   4025336 Monthly Rollup Elevation of Privilege Important
4022726
4025333 Security Only

 

Regards

 

Alan @ PFE

Occasional Visitor

Horrible article...

 

Does the update involve code updates?

Does the update merely set the registry keys?

Does the update update a GPO (you allude to this above but I find it hard to believe.. - maybe I deleted the Default Domain Controllers GPO.. changed its scope… the patching team DONT have access to modify GPOs anyway... This is stupid on so many levels it has to not be the case)

Does the registry setting set by the patch (if thats all it does) override GPO registry settings (assuming the normal 'policies' folders are used for these types of GPOs..) which wins? what if there is a conflict?

 

Poorly explained and massive lack of fundamental information.

Senior Member
@Alan La Pietra If we set LDAP Channel Binding = 0 before the January update is deployed, will the update change the value from 0 to 1 or will customers need to come back after the update and reset it to =0 to disabling it? Please advise and thank you!
Microsoft

@ChadWst The update will change to 1 in DDCpolicy. You will have to set back to 0.

 

After installing ADV190023 both settings (even None and Not Defined) will enforce Require Signature.
Only 0 (OFF) will not enforce Require Signature.

 

By the way with CBT=1 you shouldn't have issues, that's a sort of accept all. This is an intermediate option that allows for application compatibility.

Issue could arise with LDAP Signing=Require

 

Senior Member
@Alan La Pietra -- Good catch on the future updates. I wasn't thinking that far in advance yet :) -- Speaking of updates. Do you anticipate these changes being in the Preview Updates?
Microsoft

@ChadWst sorry not aware of this yet

Senior Member

Thanks very much!

Senior Member
@Alan La Pietra -- Another follow-up to your response. Up til this point I have considered LDAP signing and LDAP CBT mutually exclusive. Is this accurate? For example, could we disable LDAP signing=REQUIRED and move forward with CBT = 1? These changes dont have to be done together right?
Microsoft

Adding some other information

 

Important to point out:

LDAP over TLS/SSL communication are already signed as TLS would detect any modification of the payload as it can't be decrypted. The behavior for LDAP simple binds and LDAP simple binds through SSL are as follows:

  • LDAP simple binds are rejected If signing is required
  • LDAP simple binds through SSL are allowed If signing is required​ as that satisfy the signing requirement 

 

Another important aspect:
Turning off changes made by January 2020 updates 
Separate registry key settings exist for LDAP Signing and Channel Binding. Setting registry values to zero reverts the OS back to the previous defaults:​
  • LdapServerIntegrity = 0​
  • LdapEnforceChannelBinding = 0​​
The values can also be configured via Security Policies set via Group Policy (e.g. to automatically distribute the settings to all DCs):​
  • "Domain controller: LDAP server signing requirements"​
  • "Domain controller: LDAP server channel binding token requirements" (will only show up in the UI after installing the upcoming fix)​

@ChadWst 

CBT setting will be introduced by the update

You can separate the settings, having CBT=1 and Signing=0. They are two separate settings that you can configure via registry or GPO

Also if you download the latest SCT 1.0 (security compliance toolkit) https://www.microsoft.com/en-us/download/details.aspx?id=55319 you will find template "SecGuide.admx" and language file "SecGuide.adml" that you can import in your policies (Central Store or C:\Windows\PolicyDefinitions) and from which you can manage Extended Protection for LDAP.....(CBT)

clipboard_image_1.png

Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909: 

 

https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Wind... 

 

Also one of the things to be aware of is that "Require Signing" may have an impact on third-party systems if you don't configure them correctly. Some examples that I'm thinking of:

  • Printers
  • Storage Area Networks
  • Third party OSs
  • Appliances
  • other Hardware that interacts with DCs
  • etc etc

 

Regards

 

Alan @ PFE

 

Senior Member

@Alan La Pietra @ChadWst 

Thank you for all the additional information and links.

Just flagging up that I've tried changing the Domain controller: LDAP server signing requirements setting in the DDCP from None to Required and this changed the ldapserverintegrity registry entry from 1 to 2 (below HKLM\System\CurrentControlSet\Services\NTDS\Parameters). Reverting the policy setting to None changed it back to 1.

Senior Member

@Ricoli610

My tests confirm your remarks:

DC: LDAP server signing requirement: None (default) means ldapserverintegrity registry value 1
DC: LDAP server signing requirement: Required means ldapserverintegrity registry value 2

(and not 0 and 1 as expected, which is confusing)

 

This would mean that the previous remark from @Alan La Pietra should be:

 

Turning off changes made by January 2020 updates 
Separate registry key settings exist for LDAP Signing and Channel Binding. Setting registry values to zero reverts the OS back to the previous defaults:​
  • LdapServerIntegrity = 1 (which means ldap server signing requirement none)
  • LdapEnforceChannelBinding = 0​​ (which means binding disabled)

Thank you @Alan La Pietra for confirming this.

Microsoft

@romuel Great!!

New Contributor

For those with Macs, it looks like they do not support CBT (Channel Binding Tokens) so it won't be possible to set LdapEnforceChannelBinding to 2, but it does work with it set to 1 (Compatibility Mode).   I'm guessing most people will have to stay in that mode anyway, due to an assortment of 3rd party things.   This was tested using the latest macOS (10.15) as well.

Senior Member

If there is a requirement to secure the binding with a certificate, either internal CA or third party CA, and the domain ends in .local, is it possible to obtain a certificate from a third party CA for a upn suffix that is available externally and use this instead to bind securely? Deploying an internal CA for many customers who have .local domains to allow successful ldap binds seems like an overkill. Thoughts?

 

Just a thought - I think based on the many comments and corrections, this article should be updated with clear instructions on the changes being made, how to enable such settings now, how to disable such settings when live etc. A lot of companies won't be ready for the January deadline, so a guide to ensuring smooth transition would be great.

Visitor

Hi @Alan La Pietra,

 

One question here, according to the 2 documents here:

Can I just follow one doc to make my communications between LDAP clients and Active Directory domain controllers more secure? Or I must configure both the 2 to get this advantages. What's the different them, please?

 

Thanks

-Justin 

Microsoft

@Justin_Shi Hi Justin, you can go with only one but to cover all security concerns related to this issue we recommend to change both. Also because the update will update both.

Channel Binding Token info (was FAQ): https://internal.support.services.microsoft.com/en-us/help/2022970

Channel Binding for TLS (ietf) : https://tools.ietf.org/html/draft-altman-tls-channel-bindings-07#page-6

 

CVE-2017-8563 introduces a registry setting that administrators can use to help make LDAP authentication over SSL/TLS more secure.

  • Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.
  • The LdapEnforceChannelBindings registry entry must be explicitly created.
  • LDAP server responds dynamically to changes to this registry entry. Therefore, you do not have to restart the computer after you apply the registry change

 

Regards

 

Alan @ PFE

Microsoft

Also, just as an example, once you have enabled auditing modifying registry key "16 LDAP Interface Events", you can use the following powershell to search every DC for EventID 2889 and list IP and Account

 

This is only an example (only the last 50 events will be listed, if you need more change the value in -maxevents)

$DCs=Get-ADDomainController -filter *
foreach ($DC in $DCs)
{
write-host $DC.hostname
get-winevent -computername $DC -logname "directory Service" -maxevents 50 | ?{$_.id -eq 2889}|%{Write-Output "$($_.timecreated): $($_.properties[0].value)=>$($_.properties[1].value)"}

Senior Member

Thanks, the script is helpful.

 

I was confused as to why I saw no events listed on 4 of 5 DCs until I realized that (of course) the last 50 events are listed *before* filtering for Event ID 2889. If you have lots of other Directory Services events, the last 50 may not include any for Event ID 2889. Keep that in mind when running the script.

Senior Member
@Alan La Pietra Do you know if the LDAP Signing registry keys are dynamic like the CBT keys?? Is a reboot required for those to take effect? HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters LDAPServerIntegrity HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\Parameters ldapclientintegrity
Senior Member

@Alan La Pietra,

 

Please make it clearer in the article, that the table that explains behavior change is actually about "Domain controller: LDAP server signing requirements" GPO. It was not evident at all, until I read all other comments. Possibly, because GPO doesn't contain "OFF" setting.

 

Is it correct, that after this update, if we want to have at least 1 application not using LDAP Signing, we have to remove this GPO setting completely, and create a registry key with value "0", completely turning off LDAP Signing in whole domain, for all clients? If not, how do we enable one application to not require LDAP signing (given it doesn't support LDAPS)?

 

Below is the description of the policy today. Why does it say that LDAP Simple Bind is not affected?

Domain controller: LDAP server signing requirements

 

This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: This policy is not defined, which has the same effect as None.

Caution

If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.

Notes

This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple

Senior Member
@Alan La Pietra If LDAPServerIntegrity = 0 on the Domain Controller side does the client side ldapclientintegrity need to be "0" as well or would "1" Negotiate still work? Thanks for the updated info and charts related to the "None" and "Not Defined" behavior. This helps for the customers that are working on plans to disabled. It might help to add some verbiage around the client side.
Microsoft

@ChadWst

LDAPServerIntegrity = 0 on the Domain Controller side , this will remain 0 when you install update (releasing in March 2020)

Client Side leave = 1 meaning "negotiate"

 

So to disable this LDAP Signing you have to set Domain Controller Policy to 0 (zero = OFF). This wont be touched by the March 2020 update or future updates. I want to point out that this is NOT Recommended obviously as you are leaving your environment not secure.

LDAP CBT is not a concern with March 2020 update. Leaving = 1 means "negotiate".

When possible, consider configuring CBT = 2 in order to ensure higher security for TLS as well

 

Alan @ PFE

Senior Member

@ChadWst 

According to the help for Client Signing Requirements, Negotiate is the default.

 

That said, I have a GPO set for a few clients with Client Signing set to "2" (Require Signing) and I have no issues, even though the DCs are still set to None.

Senior Member
@Alan La Pietra -- Most definitely, the plan is to get these features enabled however we haven't had another lead time to get the logging enabled and run down the 1000's of LDAP client apps we have. Its definitely on our radar. A couple of followups 1 -- Are you hinting that the updates might be pushed to March (would look at the official Advisory for this soon)? 2 -- For LDAP Clients... The 2020 updates will NOT change the "Negotiate" to "Required"? or is it irrelevant if the DC/LDAP server side is set to "0"
Senior Member