Home
%3CLINGO-SUB%20id%3D%22lingo-sub-988523%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-988523%22%20slang%3D%22en-US%22%3ECould%20someone%20PLEASE%20help%20me%20understand%20something%3F%20If%20I%20set%20the%20server%20to%20require%20signing%2C%20but%20a%20client%20is%20offline%20and%20can't%20yet%20get%20the%20client%20gpo%20to%20set%20required%20signing%20-%20how%20in%20the%20world%20can%20it%20talk%20with%20a%20DC%20to%20get%20group%20policy%20to%20get%20the%20right%20setting%3F%20Is%20there%20some%20sort%20of%20special%20logic%20happening%20on%20a%20DC%20that%20allows%20a%20client%20to%20check%2Fupdate%20group%20policy%20even%20if%20it%20isn't%20meeting%20the%20signing%20requirements%3F%3F%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-990210%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-990210%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20happens%20if%20the%20clients%20receive%20the%20January%202020%20update%20before%20the%20domain%20controllers%20do%3F%20In%20other%20words%2C%20the%20DCs%20have%20a%20Registry%20entry%20of%200%20or%20no%20entry%20at%20all.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-991118%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-991118%22%20slang%3D%22en-US%22%3E%3CDIV%3ET%3CFONT%3Ehanks%20for%20this%20clarification!%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAs%20i%20understand%2C%20this%20should%20work%20for%20good%20Compatibility%3A%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EBefore%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Install%20all%20required%20Updates%3CBR%20%2F%3E-%20All%20DCs%3A%20Reg%20Add%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%3CBR%20%2F%3E-%20Group%20Policy%20(Domain%20Level)%3A%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Group%20Policy%20(Domaincontrollers)%3A%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAbout%20Domain%20controller%20signing%3A%3CBR%20%2F%3ENone%3A%20Data%20signing%20is%20not%20required%20in%20order%20to%20bind%20with%20the%20server.%20If%20the%20client%20requests%20data%20signing%2C%20the%20server%20supports%20it.%3CBR%20%2F%3ERequire%20signature%3A%20Unless%20TLS%5CSSL%20is%20being%20used%2C%20the%20LDAP%20data%20signing%20option%20must%20be%20negotiated.%3CBR%20%2F%3ECaution%3CBR%20%2F%3EIf%20you%20set%20the%20server%20to%20Require%20Signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20loss%20of%20connection%20with%20the%20server.%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EAfter%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202888%20Events%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EIf%20Problems%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EIf%20all%20should%20be%20good%3A%3CBR%20%2F%3E-%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20LDAP%20Channel%20Binding%20%3D%202%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3E%3CBR%20%2F%3EOther%20suggestions%3F%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992017%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992017%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20(for%20sure)%20if%20there%20will%20be%20the%20option%20to%20keep%20the%20enforcment%20disabled%20after%20the%20January%20patch%3F%3C%2FP%3E%3CP%3EIf%20yes%2C%20then%20please%20provide%20source..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992147%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992147%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Contributor%20lia-component-message-view-widget-author-username%22%3E%40%3CA%20id%3D%22link_26%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365532%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3Eajm-b%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CP%3E%3CSTRONG%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20security%20setting%20determines%20whether%20the%20LDAP%20server%20requires%20signing%20to%20be%20negotiated%20with%20LDAP%20clients%2C%20as%20follows%3A%3C%2FP%3E%0A%3CP%3ENone%3A%20Data%20signing%20is%20not%20required%20in%20order%20to%20bind%20with%20the%20server.%20If%20the%20client%20requests%20data%20signing%2C%20the%20server%20supports%20it.%3CBR%20%2F%3ERequire%20signature%3A%20Unless%20TLS%5CSSL%20is%20being%20used%2C%20the%20LDAP%20data%20signing%20option%20must%20be%20negotiated.%3C%2FP%3E%0A%3CP%3EDefault%3A%20This%20policy%20is%20not%20defined%2C%20which%20has%20the%20same%20effect%20as%20None.%3C%2FP%3E%0A%3CP%3ECaution%3C%2FP%3E%0A%3CP%3EIf%20you%20set%20the%20server%20to%20Require%20Signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20loss%20of%20connection%20with%20the%20server.%3C%2FP%3E%0A%3CP%3ENotes%3C%2FP%3E%0A%3CP%3EThis%20setting%20does%20not%20have%20any%20impact%20on%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL.%20No%20Microsoft%20LDAP%20clients%20that%20are%20shipped%20with%20Windows%20XP%20Professional%20use%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL%20to%20talk%20to%20a%20domain%20controller.%3CBR%20%2F%3EIf%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20LDAP%20simple%20bind%20through%20SSL%20requests%20are%20rejected.%20No%20Microsoft%20LDAP%20clients%20running%20Windows%20XP%20Professional%20or%20the%20Windows%20Server%202003%20family%20use%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL%20to%20bind%20to%20directory%20service%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirements%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20security%20setting%20determines%20the%20level%20of%20data%20signing%20that%20is%20requested%20on%20behalf%20of%20clients%20issuing%20LDAP%20BIND%20requests%2C%20as%20follows%3A%3C%2FP%3E%0A%3CP%3ENone%3A%20The%20LDAP%20BIND%20request%20is%20issued%20with%20the%20options%20that%20are%20specified%20by%20the%20caller.%3CBR%20%2F%3ENegotiate%20signing%3A%20If%20Transport%20Layer%20Security%2FSecure%20Sockets%20Layer%20(TLS%5CSSL)%20has%20not%20been%20started%2C%20the%20LDAP%20BIND%20request%20is%20initiated%20with%20the%20LDAP%20data%20signing%20option%20set%20in%20addition%20to%20the%20options%20specified%20by%20the%20caller.%20If%20TLS%5CSSL%20has%20been%20started%2C%20the%20LDAP%20BIND%20request%20is%20initiated%20with%20the%20options%20that%20are%20specified%20by%20the%20caller.%3CBR%20%2F%3ERequire%20signature%3A%20This%20is%20the%20same%20as%20Negotiate%20signing.%20However%2C%20if%20the%20LDAP%20server's%20intermediate%20saslBindInProgress%20response%20does%20not%20indicate%20that%20LDAP%20traffic%20signing%20is%20required%2C%20the%20caller%20is%20told%20that%20the%20LDAP%20BIND%20command%20request%20failed.%3C%2FP%3E%0A%3CP%3ECaution%3C%2FP%3E%0A%3CP%3EIf%20you%20set%20the%20server%20to%20Require%20signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20a%20loss%20of%20connection%20with%20the%20server.%3C%2FP%3E%0A%3CP%3ENote%3A%20This%20setting%20does%20not%20have%20any%20impact%20on%20ldap_simple_bind%20or%20ldap_simple_bind_s.%20No%20Microsoft%20LDAP%20clients%20that%20are%20shipped%20with%20Windows%20XP%20Professional%20use%20ldap_simple_bind%20or%20ldap_simple_bind_s%20to%20talk%20to%20a%20domain%20controller.%3C%2FP%3E%0A%3CP%3EDefault%3A%20Negotiate%20signing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992173%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992173%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F450058%22%20target%3D%22_blank%22%3E%40harle22%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Enot%20recommended%20but%20you%20could%20revert%20to%20legacy%20values%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992196%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992196%22%20slang%3D%22en-US%22%3E%3CP%3E%40%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CA%20id%3D%22link_30%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449629%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3EGflBE%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3EI%20would%20say%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3E%3CSPAN%3E%3CSTRONG%3EBefore%3C%2FSTRONG%3E%20January%202020%20Update%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Install%20all%20required%20Updates%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20Reg%20Add%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%20%3CFONT%20color%3D%22%23FF0000%22%3E1%3C%2FFONT%3E%20(Before%20Jan%202020%20updates%20this%20setting%20is%200)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Group%20Policy%20(Domain%20Level)%3A%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20%3CFONT%20color%3D%22%23FF0000%22%3ENone%20%3CFONT%20color%3D%22%23000000%22%3E(Before%20Jan%202020%20updates%20this%20setting%20is%20Negotiate%20Signing)%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Group%20Policy%20(Domaincontrollers)%3A%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%3CFONT%3EAfter%20January%202020%20Update%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20LDAP%20Channel%20Binding%20%3D%201%20(from%20Update)%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202888%20Events%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%3EIf%20Problems%3A%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20None%3CBR%20%2F%3E-%20All%20DCs%3A%20Monitor%202887%20and%202889%20Events%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%3EIf%20all%20should%20be%20good%3A%3CBR%20%2F%3E-%20Network%20security%3A%20LDAP%20client%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%3A%20Require%3CBR%20%2F%3E-%20LDAP%20Channel%20Binding%20%3D%202%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-992852%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992852%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOkay%20i%20have%20already%20seen%20that%20article%20and%20the%20registry%20values%20to%20accept%20non%20signed%20ldap%20requests.%20But%20to%20me%20it%20was%20not%20definetly%20clear%20if%20this%20option%20will%20still%20be%20available%20after%20the%20January%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20confirm%20that%20it%20will%20be%20possible%20after%20the%20january%20update%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993051%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993051%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F450058%22%20target%3D%22_blank%22%3E%40harle22%3C%2FA%3E%26nbsp%3Bchanges%20can%20be%20reverted%2C%20only%20changing%20default%20values%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993385%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993385%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20article%20and%20the%20conversation%20that%20it%20has%20started%20has%20been%20very%20helpful%2C%20so%20thanks%20for%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFortunately%20I%20have%20a%20copy%20of%20our%20AD%20in%20a%20sandboxed%20environment%20for%20testing.%20The%20downside%20is%20that%20I%20only%20have%20Windows%20Clients%20and%20no%20third%20party%20apps%20to%20test%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20couple%20of%20different%20points%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20In%20the%20test%20environment%2C%20I%20set%20LDAP%20Signing%20to%20be%20enforced%20on%20the%20Client%20side%20across%20the%20domain%20and%20set%20the%20DC%20GPO%20so%20that%20LDAP%20Signing%20is%20not%20required.%20This%20apparently%20did%20not%20cause%20any%20problems.%20It%20seems%20to%20contradict%20this%2C%20unless%20I'm%20misunderstanding%20it%3A%20%22Require%20signature%3A%20This%20is%20the%20same%20as%20Negotiate%20signing.%20However%2C%20if%20the%20LDAP%20server's%20intermediate%20saslBindInProgress%20response%20does%20not%20indicate%20that%20LDAP%20traffic%20signing%20is%20required%2C%20the%20caller%20is%20told%20that%20the%20LDAP%20BIND%20command%20request%20failed.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20This%20concerns%20me%3A%20%22If%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20%3CEM%3E%3CSTRONG%3ELDAP%20simple%20bind%20through%20SSL%3C%2FSTRONG%3E%3C%2FEM%3E%20requests%20are%20rejected.%20%22%20Is%20this%20correct%3F%20If%20so%2C%20we%20can%20forget%20about%203rd%20party%20apps%20that%20need%20to%20use%20AD%20authentication.%20They%20all%20seem%20to%20rely%20on%20simple%20bind%20over%20SSL%20for%20LDAP%20security.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994402%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994402%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2F989e0748-0953-455d-9d37-d08dfbf3998b%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESASL%20Authentication%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CFONT%3EActive%20Directory%20supports%20the%20optional%20use%20of%20integrity%20verification%20or%20encryption%20that%20is%20negotiated%20as%20part%20of%20the%20SASL%20authentication.%3CBR%20%2F%3EWhile%20Active%20Directory%20permits%20SASL%20binds%20to%20be%20performed%20on%20an%20SSL%2FTLS-protected%20connection%2C%20it%20does%20not%20permit%20the%20use%20of%20SASL-layer%20encryption%2Fintegrity%20verification%20mechanisms%20on%20such%20a%20connection.%3CBR%20%2F%3EWhile%20this%20restriction%20is%20present%20in%20Active%20Directory%20on%20Windows%202000%20Server%20operating%20system%20and%20later%2C%20versions%20prior%20to%20Windows%20Server%202008%20operating%20system%20can%20fail%20to%20reject%20an%20LDAP%20bind%3CBR%20%2F%3Ethat%20is%20requesting%20SASL-layer%20encryption%2Fintegrity%20verification%20mechanisms%20when%20that%20bind%20request%20is%20sent%20on%20a%20SSL%2FTLS-protected%20connection.%3C%2FFONT%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-994777%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994777%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20confirm%20that%20it%20will%20be%20possible%20after%20the%20january%20update%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.realwebpoint.com%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EReal%20Web%20Point%3C%2FA%3E%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005206%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005206%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20The%20KB%E2%80%AF968389%20link%20doesn't%20work.%20Can%20you%20get%20this%20link%20corrected%20or%20point%20us%20to%20the%20correct%20verbiage%3F%20This%20is%20causing%20quite%20a%20bit%20of%20confusion%20of%20us%20as%20well.%20-Chad%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005748%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005748%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%20sorry%20for%20that!!%3C%2FP%3E%0A%3CP%3E2008%20x64%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D15109%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D15109%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20windows%20update%20catalog%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.catalog.update.microsoft.com%2FHome.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.catalog.update.microsoft.com%2FHome.aspx%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20remember%20that%20Extended%20Support%20for%20%3CSTRONG%3E2008%20R2%20SP1%3C%2FSTRONG%3E%20and%20%3CSTRONG%3E2008%20SP2%3C%2FSTRONG%3E%2C%20will%20end%20on%26nbsp%3B%3CSPAN%3E1%2F14%2F2020%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESearch%20product%20lifecycle%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Flifecycle%2Fsearch%3Falpha%3Dwindows%2520server%25202008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Flifecycle%2Fsearch%3Falpha%3Dwindows%2520server%25202008%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%20%40%26nbsp%3BPFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005752%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005752%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CA%20id%3D%22link_49%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451699%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3E%3C%2FSPAN%3E%3C%2FA%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451699%22%20target%3D%22_blank%22%3E%40amjadalisial%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3E%26nbsp%3B%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3EYes%20it%20will%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1007049%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1007049%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20our%20third%20party%20applications%20and%20our%20OSX%20member%20computers%20that%20use%20LDAP%20over%20SSL%20(port%20636)%2C%20will%20they%20continue%20to%20communicate%20successfully%20with%20the%20domain%20controllers%20set%20to%20Require%20Signing%3F%20It%20sounds%20like%20they%20will%20fail.%20In%20that%20case%20we'll%20never%20be%20able%20to%20set%20it%20to%20Require%20Signing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERelated%2C%20I%20assume%20that%20for%20Channel%20Binding%20as%20long%20as%20we%20leave%20the%20setting%20at%201%2C%20the%20third%20part%20apps%20will%20be%20okay%2C%20since%20that%20is%20leaving%20it%20unenforced.%20Is%20that%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008681%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008681%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%2C%20as%20I%20understand%20it%20%22Require%20Signing%22%20only%20has%20to%20do%20with%20non-TLS%20389%2C%20it%20doesn't%20come%20into%20play%20with%20636%20binds.%20We%20have%20plenty%20of%20macs%20here%20-%20if%20you%20wanna%20hit%20me%20up%20in%20about%20a%20month%20I%20can%20probably%20tell%20you%20how%20it%20went.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008843%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008843%22%20slang%3D%22en-US%22%3E%3CP%3Eajm-b%2C%20yes%20that%20would%20be%20great.%20We'll%20be%20holding%20off%20on%20the%20domain%20controllers%20until%20February%20so%20I'll%20have%20some%20time.%20We%20do%20have%20a%20closed%20off%20test%20network%20and%20we%20may%20be%20able%20to%20test%20some%20Macs%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20too%20much%20about%20Macs%20and%20I'm%20never%20one%20who%20joins%20them%20to%20the%20domain%2C%20but%20I%20had%20been%20under%20the%20impression%20that%20they%20did%20use%20port%20636%20by%20default.%20It%20wasn't%20until%20I%20increased%20the%20LDAP%20logging%20to%20%222%22%20that%20I%20saw%20how%20many%20of%20them%20were%20using%20389.%20I'm%20not%20sure%20why%2C%20but%20you%20may%20want%20to%20do%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20said%2C%20I%20just%20found%20an%20article%20that%20allays%20the%20confusion%20which%20prompted%20me%20to%20ask%20the%20question%20in%20the%20first%20place%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fsetspn.blogspot.com%2F2016%2F09%2Fdomain-controller-ldap-server-signing.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fsetspn.blogspot.com%2F2016%2F09%2Fdomain-controller-ldap-server-signing.html%3C%2FA%3E%3C%2FP%3E%3CP%3EAs%20the%20article%20says%2C%20there%20is%20bad%20wording%20in%20the%20MS%20article%3A%20%22If%20signing%20is%20required%2C%20then%20LDAP%20simple%20bind%20and%20%3CEM%3E%3CSTRONG%3ELDAP%20simple%20bind%20through%20SSL%3C%2FSTRONG%3E%3C%2FEM%3E%20requests%20are%20rejected.%22%20So%20I%20know%20from%20what%20it%20says%20in%20this%20Blogspot%20post%2C%20that%20LDAP%20over%20SSL%2FTLS%20should%20continue%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1009745%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1009745%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20find%20a%20Mac%20that%20I%20put%20in%20our%20isolated%20test%20network.%20In%20that%20environment%2C%20I%20set%20the%20DC%20GPO%20for%20%22Domain%20Controller%3A%20require%20signing%22%2C%20the%20domain%20GPO%20to%20%22Network%20Client%3A%20require%20signing%22.%20On%20the%20DC%20GPO%20I%20created%20the%20Registry%20entry%20for%20%22%3CFONT%3ELDAP%20Channel%20Binding%20%3D%201%22.%20I%20successfully%20tested%20using%20LDP%20to%20make%20sure%20simple%20binds%20over%20389%20would%20fail%20and%20over%20636%20using%20SSL%20would%20succeed.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EI%20had%20no%20problem%20joining%20the%20Mac%20(Mavericks%2C%20a%20fairly%20old%20OSX%20version)%20to%20the%20domain.%20I%20don't%20see%20an%20option%20for%20using%20secure%20LDAP%20or%20not%2C%20so%20it%20obviously%20used%20secure%20LDAP%20or%20it%20would%20have%20failed.%20Just%20wanted%20to%20get%20this%20out%20there%20for%20anyone%20who%20was%20concerned%20like%20me.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EI%20still%20don't%20understand%20why%20a%20bunch%20of%20Macs%20are%20using%20non%20secure%20LDAP%2C%20but%20that's%20our%20problem%20to%20correct.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1025248%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1025248%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20ldp.exe%20to%20quickly%20troubleshoot%20difference%20settings.%26nbsp%3B%20It%20helped%20me%20solve%20an%20issue%20with%20a%20Cisco%20appliance%20today.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1028395%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1028395%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExcellent%20article%20-%20thank%20you.%3C%2FP%3E%3CP%3EThis%20may%20be%20asking%20something%20obvious%20but%20do%20the%20updates%20amend%20the%20value%20of%26nbsp%3BDomain%20controller%3A%20LDAP%20server%20signing%20requirements%20in%20the%20Default%20Domain%20Controllers%20Policy%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1028596%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1028596%22%20slang%3D%22en-US%22%3E%3CP%20dir%3D%22rtl%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F466611%22%20target%3D%22_blank%22%3E%40Ricoli610%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ECorrect%3C%2FP%3E%0A%3CP%3ESigning%20Required%3C%2FP%3E%0A%3CP%3ECBT%20%3D%201%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyou%20need%20to%20have%20%22required%22%20on%20both%20Domain%20Controller%20Policy%20and%20Domain%20Policy%20(or%20a%20policy%20that%20will%20apply%20to%20clients%2Fservers).%3C%2FP%3E%0A%3CP%3EUpdate%20will%20default%20to%20ldap%20signing%20required%20on%20DDCP%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%20%40%20PFE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1028636%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1028636%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20I%20have%20a%20question%20related%20to%20the%20CVE-2017-8563%20Would%20it%20be%20safe%20to%20assume%20that%20if%20we%20have%20been%20applying%20the%20Monthly%20Roll-up%20(not%20the%20Security-Only)%20since%20Oct%202016%20to%20all%20of%20our%20systems%2C%20that%20this%20would%20include%20the%20update%20needed%3F%20-Chad%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030270%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40ChadWst%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EI%20assume%20you%20are%20correct%2C%20but%20you%20can%20double%20check%3C%2FP%3E%0A%3CP%3EPlease%20review%20the%20following%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%20%22Windows%2010%20for%2032-bit%20Systems%22%20is%20contained%20in%20July%2011%2C%202017%20-%20KB4025338%3C%2FP%3E%0A%3CTABLE%20class%3D%22table%20table-bordered%20securityguidance-table%20m-y-1%20m-b-2%22%3E%0A%3CTBODY%20class%3D%22ng-scope%20tbody-striped%22%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%221%22%20class%3D%22ng-binding%22%3EWindows%2010%20for%2032-bit%20Systems%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%20class%3D%22ng-binding%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4025338%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4025338%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fcatalog.update.microsoft.com%2Fv7%2Fsite%2FSearch.aspx%3Fq%3DKB4025338%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Update%3C%2FA%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eor%20for%20%22Windows%20Server%202012%20R2%22%20-%26nbsp%3BKB4025333%3C%2FP%3E%0A%3CTABLE%20class%3D%22table%20table-bordered%20securityguidance-table%20m-y-1%20m-b-2%22%3E%0A%3CTBODY%20class%3D%22ng-scope%22%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%222%22%20class%3D%22ng-binding%22%3EWindows%20Server%202012%20R2%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%20class%3D%22ng-binding%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4025336%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4025336%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fcatalog.update.microsoft.com%2Fv7%2Fsite%2FSearch.aspx%3Fq%3DKB4025336%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMonthly%20Rollup%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%20class%3D%22ng-binding%22%3EElevation%20of%20Privilege%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%20class%3D%22ng-binding%22%3EImportant%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%3E%3CDIV%20class%3D%22ng-binding%22%3E4022726%3C%2FDIV%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4025333%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4025333%3C%2FA%3E%3C%2FTD%3E%0A%3CTD%20rowspan%3D%221%22%3E%3CA%20class%3D%22ng-binding%22%20href%3D%22https%3A%2F%2Fcatalog.update.microsoft.com%2Fv7%2Fsite%2FSearch.aspx%3Fq%3DKB4025333%22%20name%3D%22%22%20aria-label%3D%22%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Only%3C%2FA%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40%20PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006237%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006237%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E--%20Question%20about%20GPO's%26nbsp%3B%20if%20LDAP%20Signing%20GPO's%20are%20currently%20enforcing%20%22Negotiate%20Signing%22%20for%26nbsp%3B%20Client%2FWorkstations%20and%20LDAP%20Signing%20set%20to%20%22None%22%20for%20Domain%20Controllers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20January%20update%20would%20have%20no%20impact%20right%3F%20The%20update%20would%20essentially%20set%20it%20in%20the%20registry%20to%20%22Require%20Signing%22%20but%20once%20Group%20Policy%20refreshed%20it%20would%20revert%20back%20to%20what%20is%20set%20in%20GPO%20for%20example%20%22Negotiate%22%20for%20Clients%20and%20%22None%22%20for%20Domain%20Controllers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1036751%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1036751%22%20slang%3D%22en-US%22%3E%3CP%3EHorrible%20article...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20the%20update%20involve%20code%20updates%3F%3C%2FP%3E%3CP%3EDoes%20the%20update%20merely%20set%20the%20registry%20keys%3F%3C%2FP%3E%3CP%3EDoes%20the%20update%20update%20a%20GPO%20(you%20allude%20to%20this%20above%20but%20I%20find%20it%20hard%20to%20believe..%20-%20maybe%20I%20deleted%20the%20Default%20Domain%20Controllers%20GPO..%20changed%20its%20scope%E2%80%A6%20the%20patching%20team%20DONT%20have%20access%20to%20modify%20GPOs%20anyway...%20This%20is%20stupid%20on%20so%20many%20levels%20it%20has%20to%20not%20be%20the%20case)%3C%2FP%3E%3CP%3EDoes%20the%20registry%20setting%20set%20by%20the%20patch%20(if%20thats%20all%20it%20does)%20override%20GPO%20registry%20settings%20(assuming%20the%20normal%20'policies'%20folders%20are%20used%20for%20these%20types%20of%20GPOs..)%20which%20wins%3F%20what%20if%20there%20is%20a%20conflict%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPoorly%20explained%20and%20massive%20lack%20of%20fundamental%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1043995%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1043995%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20If%20we%20set%20LDAP%20Channel%20Binding%20%3D%200%20before%20the%20January%20update%20is%20deployed%2C%20will%20the%20update%20change%20the%20value%20from%200%20to%201%20or%20will%20customers%20need%20to%20come%20back%20after%20the%20update%20and%20reset%20it%20to%20%3D0%20to%20disabling%20it%3F%20Please%20advise%20and%20thank%20you!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1044149%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1044149%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20Good%20catch%20on%20the%20future%20updates.%20I%20wasn't%20thinking%20that%20far%20in%20advance%20yet%20%3A)%3C%2Fimg%3E%20--%20Speaking%20of%20updates.%20Do%20you%20anticipate%20these%20changes%20being%20in%20the%20Preview%20Updates%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1044233%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1044233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3Bsorry%20not%20aware%20of%20this%20yet%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1045483%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1045483%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20very%20much!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1046689%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1046689%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20Another%20follow-up%20to%20your%20response.%20Up%20til%20this%20point%20I%20have%20considered%20LDAP%20signing%20and%20LDAP%20CBT%20mutually%20exclusive.%20Is%20this%20accurate%3F%20For%20example%2C%20could%20we%20disable%20LDAP%20signing%3DREQUIRED%20and%20move%20forward%20with%20CBT%20%3D%201%3F%20These%20changes%20dont%20have%20to%20be%20done%20together%20right%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1046936%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1046936%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EAdding%20some%20other%20information%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EImportant%20to%20point%20out%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3ELDAP%20over%20TLS%2FSSL%20communication%20are%20already%20signed%20as%20TLS%20would%20detect%20any%20modification%20of%20the%20payload%20as%20it%20can't%20be%20decrypted.%20The%20behavior%20for%20LDAP%20simple%20binds%20and%20LDAP%20simple%20binds%20through%20SSL%20are%20as%20follows%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3ELDAP%20simple%20binds%20are%20rejected%20If%20signing%20is%20required%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3ELDAP%20simple%20binds%20through%20SSL%20are%20allowed%20If%20signing%20is%20required%20as%20that%26nbsp%3Bsatisfy%20the%20signing%20requirement%26nbsp%3B%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20dir%3D%22ltr%22%3E%3CFONT%20size%3D%223%22%3EAnother%20important%20aspect%3A%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%20dir%3D%22ltr%22%3E%3CFONT%20size%3D%223%22%3E%3CSTRONG%20class%3D%22%22%3ETurning%20off%20changes%20made%20by%20January%202020%20updates%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CBLOCKQUOTE%20dir%3D%22ltr%22%3E%0A%3CDIV%3E%3CFONT%20size%3D%223%22%3ESeparate%20registry%20key%20settings%20exist%20for%20LDAP%20Signing%20and%20Channel%20Binding.%20Setting%20registry%20values%20to%20zero%20reverts%20the%20OS%20back%20to%20the%20previous%20defaults%3A%20%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3ELdapServerIntegrity%20%3D%200%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3ELdapEnforceChannelBinding%20%3D%200%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%3CFONT%20size%3D%223%22%3EThe%20values%20can%20also%20be%20configured%20via%20Security%20Policies%20set%20via%20Group%20Policy%20(e.g.%20to%20automatically%20distribute%20the%20settings%20to%20all%20DCs)%3A%20%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3E%22Domain%20controller%3A%20LDAP%20server%20signing%20requirements%22%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3E%22Domain%20controller%3A%20LDAP%20server%20channel%20binding%20token%20requirements%22%20(will%20only%20show%20up%20in%20the%20UI%20after%20installing%20the%20upcoming%20fix)%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3ECBT%20setting%20will%20be%20introduced%20by%20the%20update%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EYou%20can%20separate%20the%20settings%2C%20having%20CBT%3D1%20and%20Signing%3D0.%20They%20are%20two%20separate%20settings%20that%20you%20can%20configure%20via%20registry%20or%20GPO%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CBLOCKQUOTE%20dir%3D%22ltr%22%3E%3CFONT%20size%3D%223%22%3EAlso%20if%20you%20download%20the%20latest%20SCT%201.0%20(security%20compliance%20toolkit)%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%26nbsp%3B%3C%2FA%3Eyou%20will%20find%20template%20%22SecGuide.admx%22%20and%20language%20file%20%22SecGuide.adml%22%20that%20you%20can%20import%20in%20your%20policies%20(Central%20Store%20or%20C%3A%5CWindows%5CPolicyDefinitions)%20and%20from%20which%20you%20can%20manage%20Extended%20Protection%20for%20LDAP.....(CBT)%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F159971iF99C42C1BCE9203B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FBLOCKQUOTE%3E%0A%3CBLOCKQUOTE%20dir%3D%22ltr%22%3E%0A%3CH1%20class%3D%22message-subject%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%20id%3D%22toc-hId-2045288062%22%3E%3CSPAN%20class%3D%22lia-message-unread%22%3E%3CA%20class%3D%22page-link%20lia-link-navigation%20lia-custom-event%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ESecurity%20baseline%20(FINAL)%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909%3A%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FH1%3E%0A%3CH1%20class%3D%22message-subject%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%20id%3D%22toc-hId--506868899%22%3E%26nbsp%3B%3C%2FH1%3E%0A%3CH1%20class%3D%22message-subject%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%20id%3D%22toc-hId-1235941436%22%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%20class%3D%22lia-message-unread%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%3C%2FA%3E%3CA%20id%3D%22link_9%22%20class%3D%22page-link%20lia-link-navigation%20lia-custom-event%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%3C%2FA%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EAlso%20one%20of%20the%20things%20to%20be%20aware%20of%20is%20that%20%22Require%20Signing%22%20may%20have%20an%20impact%20on%20third-party%20systems%20if%20you%20don't%20configure%20them%20correctly.%20Some%20examples%20that%20I'm%20thinking%20of%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3EPrinters%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3EStorage%20Area%20Networks%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3EThird%20party%20OSs%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3EAppliances%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3Eother%20Hardware%20that%20interacts%20with%20DCs%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%223%22%3Eetc%20etc%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3ERegards%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EAlan%26nbsp%3B%40%20PFE%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1048144%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1048144%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20all%20the%20additional%20information%20and%20links.%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20flagging%20up%20that%20I've%20tried%20changing%20the%20Domain%20controller%3A%20LDAP%20server%20signing%20requirements%20setting%20in%20the%20DDCP%20from%20None%20to%20Required%20and%20this%20changed%20the%20ldapserverintegrity%20registry%20entry%20from%201%20to%202%20(below%20HKLM%5CSystem%5CCurrentControlSet%5CServices%5CNTDS%5CParameters).%20Reverting%20the%20policy%20setting%20to%20None%20changed%20it%20back%20to%201.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1052957%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1052957%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F466611%22%20target%3D%22_blank%22%3E%40Ricoli610%3C%2FA%3E%3C%2FP%3E%3CP%3EMy%20tests%20confirm%20your%20remarks%3A%3C%2FP%3E%3CP%3EDC%3A%20LDAP%20server%20signing%20requirement%3A%20None%20(default)%20means%20%3CSPAN%3Eldapserverintegrity%20%3C%2FSPAN%3Eregistry%20value%201%3CBR%20%2F%3EDC%3A%20LDAP%20server%20signing%20requirement%3A%20Required%20means%20%3CSPAN%3Eldapserverintegrity%20%3C%2FSPAN%3Eregistry%20value%202%3C%2FP%3E%3CP%3E(and%20not%200%20and%201%20as%20expected%2C%20which%20is%20confusing)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20mean%20that%20the%20previous%20remark%20from%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20should%20be%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CEM%3E%3CFONT%20size%3D%223%22%3E%3CSTRONG%3ETurning%20off%20changes%20made%20by%20January%202020%20updates%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FEM%3E%3C%2FDIV%3E%3CBLOCKQUOTE%20dir%3D%22ltr%22%3E%3CDIV%3E%3CEM%3E%3CFONT%20size%3D%223%22%3ESeparate%20registry%20key%20settings%20exist%20for%20LDAP%20Signing%20and%20Channel%20Binding.%20Setting%20registry%20values%20to%20zero%20reverts%20the%20OS%20back%20to%20the%20previous%20defaults%3A%20%3C%2FFONT%3E%3C%2FEM%3E%3C%2FDIV%3E%3CUL%3E%3CLI%3E%3CEM%3E%3CFONT%20size%3D%223%22%3ELdapServerIntegrity%20%3D%20%3CU%3E%3CSTRONG%3E1%20(which%20means%20ldap%20server%20signing%20requirement%20none)%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FFONT%3E%3C%2FEM%3E%3C%2FLI%3E%3CLI%3E%3CEM%3E%3CFONT%20size%3D%223%22%3ELdapEnforceChannelBinding%20%3D%200%20(which%20means%20binding%20disabled)%3C%2FFONT%3E%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FBLOCKQUOTE%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20for%20confirming%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1054756%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1054756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425456%22%20target%3D%22_blank%22%3E%40romuel%3C%2FA%3E%20Great!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1060816%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1060816%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20those%20with%20Macs%2C%20it%20looks%20like%20they%20do%20not%20support%20CBT%20(Channel%20Binding%20Tokens)%20so%20it%20won't%20be%20possible%20to%20set%26nbsp%3B%3CEM%3E%3CFONT%20size%3D%223%22%3ELdapEnforceChannelBinding%26nbsp%3B%3C%2FFONT%3E%3C%2FEM%3E%3CFONT%20size%3D%223%22%3Eto%202%2C%20but%20it%20does%20work%20with%20it%20set%20to%201%20(Compatibility%20Mode).%26nbsp%3B%20%26nbsp%3BI'm%20guessing%20most%20people%20will%20have%20to%20stay%20in%20that%20mode%20anyway%2C%20due%20to%20an%20assortment%26nbsp%3Bof%203rd%20party%20things.%26nbsp%3B%20%26nbsp%3BThis%20was%20tested%20using%20the%20latest%20macOS%20(10.15)%20as%20well.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1061475%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1061475%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20there%20is%20a%20requirement%20to%20secure%20the%20binding%20with%20a%20certificate%2C%20either%20internal%20CA%20or%20third%20party%20CA%2C%20and%20the%20domain%20ends%20in%20.local%2C%20is%20it%20possible%20to%20obtain%20a%20certificate%20from%20a%20third%20party%20CA%20for%20a%20upn%20suffix%20that%20is%20available%20externally%20and%20use%20this%20instead%20to%20bind%20securely%3F%20Deploying%20an%20internal%20CA%20for%20many%20customers%20who%20have%20.local%20domains%20to%20allow%20successful%20ldap%20binds%20seems%20like%20an%20overkill.%20Thoughts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20a%20thought%20-%20I%20think%20based%20on%20the%20many%20comments%20and%20corrections%2C%20this%20article%20should%20be%20updated%20with%20clear%20instructions%20on%20the%20changes%20being%20made%2C%20how%20to%20enable%20such%20settings%20now%2C%20how%20to%20disable%20such%20settings%20when%20live%20etc.%20A%20lot%20of%20companies%20won't%20be%20ready%20for%20the%20January%20deadline%2C%20so%20a%20guide%20to%20ensuring%20smooth%20transition%20would%20be%20great.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1061626%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1061626%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20question%20here%2C%20according%20to%20the%202%20documents%20here%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELDAP%20channel%20binding%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELDAP%20signing%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ECan%20I%20just%20follow%20one%20doc%20to%20make%20my%20communications%20between%20LDAP%20clients%20and%20Active%20Directory%20domain%20controllers%20more%20secure%3F%20Or%20I%20must%20configure%20both%20the%202%20to%20get%20this%20advantages.%20What's%20the%20different%20them%2C%20please%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E-Justin%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1062339%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1062339%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486041%22%20target%3D%22_blank%22%3E%40Justin_Shi%3C%2FA%3E%26nbsp%3BHi%20Justin%2C%20you%20can%20go%20with%20only%20one%20but%20to%20cover%20all%20security%20concerns%20related%20to%20this%20issue%20we%20recommend%20to%20change%20both.%20Also%20because%20the%20update%20will%20update%20both.%3C%2FP%3E%0A%3CP%20class%3D%22c-heading-3%20article-heading%20ng-binding%20ng-scope%22%20aria-level%3D%221%22%3E%3CFONT%20size%3D%223%22%3EChannel%20Binding%20Token%20info%20(was%20FAQ)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Finternal.support.services.microsoft.com%2Fen-us%2Fhelp%2F2022970%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Finternal.support.services.microsoft.com%2Fen-us%2Fhelp%2F2022970%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EChannel%20Binding%20for%20TLS%20(ietf)%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-altman-tls-channel-bindings-07%23page-6%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-altman-tls-channel-bindings-07%23page-6%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3E%3CA%20id%3D%22kb-link-2%22%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2017-8563%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bintroduces%20a%20registry%20setting%20that%20administrators%20can%20use%20to%20help%20make%20LDAP%20authentication%20over%20SSL%2FTLS%20more%20secure.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%20class%3D%22ng-scope%22%3E%0A%3CLI%3EBefore%20you%20enable%20this%20setting%20on%20a%20Domain%20Controller%2C%20clients%20must%20install%20the%20security%20update%20that%20is%20described%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20id%3D%22kb-link-2%22%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2017-8563%3C%2FA%3E.%20Otherwise%2C%20compatibility%20issues%20may%20arise%2C%20and%20LDAP%20authentication%20requests%20over%20SSL%2FTLS%20that%20previously%20worked%20may%20no%20longer%20work.%20By%20default%2C%20this%20setting%20is%20disabled.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EThe%20LdapEnforceChannelBindings%20registry%20entry%20must%20be%20explicitly%20created.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22%22%3ELDAP%20server%20responds%20dynamically%20to%20changes%20to%20this%20registry%20entry.%20Therefore%2C%20you%20do%20not%20have%20to%20restart%20the%20computer%20after%20you%20apply%20the%20registry%20change%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22%22%3ERegards%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22%22%3EAlan%26nbsp%3B%40%20PFE%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1044075%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1044075%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3BThe%20update%20will%20change%20to%201%20in%20DDCpolicy.%20You%20will%20have%20to%20set%20back%20to%200.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20installing%20ADV190023%20both%26nbsp%3Bsettings%20(even%20None%20and%20Not%20Defined)%26nbsp%3Bwill%20enforce%20Require%20Signature.%3CBR%20%2F%3E%3CSTRONG%3EOnly%200%20(OFF)%20will%20not%20enforce%20Require%26nbsp%3BSignature.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20the%20way%20with%20CBT%3D1%20you%20shouldn't%20have%20issues%2C%20that's%20a%20sort%20of%20accept%20all.%26nbsp%3B%3CSPAN%3EThis%20is%20an%20intermediate%20option%20that%20allows%20for%20application%20compatibility.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIssue%20could%20arise%20with%20LDAP%20Signing%3DRequire%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068223%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068223%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%2C%20just%20as%20an%20example%2C%20once%20you%20have%20enabled%20auditing%20modifying%20registry%20key%20%2216%20LDAP%20Interface%20Events%22%2C%20you%20can%20use%20the%20following%20powershell%20to%20search%20every%20DC%20for%20EventID%202889%20and%20list%20IP%20and%20Account%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20only%20an%20example%20(only%20the%20last%2050%20events%20will%20be%20listed%2C%20if%20you%20need%20more%20change%20the%20value%20in%20-maxevents)%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%24DCs%3DGet-ADDomainController%20-filter%20*%3CBR%20%2F%3Eforeach%20(%24DC%20in%20%24DCs)%3CBR%20%2F%3E%7B%3CBR%20%2F%3Ewrite-host%20%24DC.hostname%3CBR%20%2F%3Eget-winevent%20-computername%20%24DC%20-logname%20%22directory%20Service%22%20-maxevents%2050%20%7C%20%3F%7B%24_.id%20-eq%202889%7D%7C%25%7BWrite-Output%20%22%24(%24_.timecreated)%3A%20%24(%24_.properties%5B0%5D.value)%3D%26gt%3B%24(%24_.properties%5B1%5D.value)%22%7D%3CBR%20%2F%3E%7D%26nbsp%3B%20%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068485%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068485%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20the%20script%20is%20helpful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20confused%20as%20to%20why%20I%20saw%20no%20events%20listed%20on%204%20of%205%20DCs%20until%20I%20realized%20that%20(of%20course)%20the%20last%2050%20events%20are%20listed%20*before*%20filtering%20for%20Event%20ID%202889.%20If%20you%20have%20lots%20of%20other%20Directory%20Services%20events%2C%20the%20last%2050%20may%20not%20include%20any%20for%20Event%20ID%202889.%20Keep%20that%20in%20mind%20when%20running%20the%20script.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068846%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068846%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20Do%20you%20know%20if%20the%20LDAP%20Signing%20registry%20keys%20are%20dynamic%20like%20the%20CBT%20keys%3F%3F%20Is%20a%20reboot%20required%20for%20those%20to%20take%20effect%3F%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CNTDS%5CParameters%20LDAPServerIntegrity%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5Cldap%5CParameters%20ldapclientintegrity%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070198%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070198%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20make%20it%20clearer%20in%20the%20article%2C%20that%20the%20table%20that%20explains%20behavior%20change%20is%20actually%20about%20%22%3CEM%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%3C%2FEM%3E%22%20GPO.%20It%20was%20not%20evident%20at%20all%2C%20until%20I%20read%20all%20other%20comments.%20Possibly%2C%20because%20GPO%20doesn't%20contain%20%22OFF%22%20setting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20correct%2C%20that%20after%20this%20update%2C%20if%20we%20want%20to%20have%20at%20least%201%20application%20not%20using%20LDAP%20Signing%2C%20we%20have%20to%20remove%20this%20GPO%20setting%20completely%2C%20and%20create%20a%20registry%20key%20with%20value%20%220%22%2C%20completely%20turning%20off%20LDAP%20Signing%20in%20whole%20domain%2C%20for%20all%20clients%3F%20If%20not%2C%20how%20do%20we%20enable%20one%20application%20not%20require%20LDAP%20signing%20(if%20it%20doesn't%20support%20LDAPS)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20is%20the%20description%20of%20the%20policy%20today.%20Why%20does%20it%20say%20that%20LDAP%20Simple%20Bind%20is%20not%20affected%3F%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20security%20setting%20determines%20whether%20the%20LDAP%20server%20requires%20signing%20to%20be%20negotiated%20with%20LDAP%20clients%2C%20as%20follows%3A%3C%2FP%3E%3CP%3ENone%3A%20Data%20signing%20is%20not%20required%20in%20order%20to%20bind%20with%20the%20server.%20If%20the%20client%20requests%20data%20signing%2C%20the%20server%20supports%20it.%3CBR%20%2F%3ERequire%20signature%3A%20Unless%20TLS%5CSSL%20is%20being%20used%2C%20the%20LDAP%20data%20signing%20option%20must%20be%20negotiated.%3C%2FP%3E%3CP%3EDefault%3A%20This%20policy%20is%20not%20defined%2C%20which%20has%20the%20same%20effect%20as%20None.%3C%2FP%3E%3CP%3ECaution%3C%2FP%3E%3CP%3EIf%20you%20set%20the%20server%20to%20Require%20Signature%2C%20you%20must%20also%20set%20the%20client.%20Not%20setting%20the%20client%20results%20in%20loss%20of%20connection%20with%20the%20server.%3C%2FP%3E%3CP%3ENotes%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3EThis%20setting%20does%20not%20have%20any%20impact%20on%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL.%20No%20Microsoft%20LDAP%20clients%20that%20are%20shipped%20with%20Windows%20XP%20Professional%20use%20LDAP%20simple%3C%2FFONT%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070310%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070310%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20If%20LDAPServerIntegrity%20%3D%200%20on%20the%20Domain%20Controller%20side%20does%20the%20client%20side%20ldapclientintegrity%20need%20to%20be%20%220%22%20as%20well%20or%20would%20%221%22%20Negotiate%20still%20work%3F%20Thanks%20for%20the%20updated%20info%20and%20charts%20related%20to%20the%20%22None%22%20and%20%22Not%20Defined%22%20behavior.%20This%20helps%20for%20the%20customers%20that%20are%20working%20on%20plans%20to%20disabled.%20It%20might%20help%20to%20add%20some%20verbiage%20around%20the%20client%20side.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070331%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070331%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELDAPServerIntegrity%20%3D%200%20on%20the%20Domain%20Controller%20side%20%2C%20this%20will%20remain%200%20when%20you%20install%20update%20(releasing%20in%20March%202020)%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EClient%20Side%20leave%20%3D%201%20meaning%20%22negotiate%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESo%20to%20disable%20this%20LDAP%20Signing%20you%20have%20to%20set%20Domain%20Controller%20Policy%20to%200%20(zero%20%3D%20OFF)%3C%2FSTRONG%3E.%20This%20wont%20be%20touched%20by%20the%20March%202020%20update%20or%20future%20updates.%20I%20want%20to%20point%20out%20that%20this%20is%20NOT%20Recommended%20obviously%20as%20you%20are%20leaving%20your%20environment%20not%20secure.%3C%2FP%3E%0A%3CP%3ELDAP%20CBT%20is%20not%20a%20concern%20with%20March%202020%20update.%20Leaving%20%3D%201%20means%20%22negotiate%22.%3C%2FP%3E%0A%3CP%3EWhen%20possible%2C%20consider%20configuring%20CBT%20%3D%202%20in%20order%20to%20ensure%20higher%20security%20for%20TLS%20as%20well%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40%20PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070346%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070346%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20the%20help%20for%20Client%20Signing%20Requirements%2C%20Negotiate%20is%20the%20default.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20said%2C%20I%20have%20a%20GPO%20set%20for%20a%20few%20clients%20with%20Client%20Signing%20set%20to%20%222%22%20(Require%20Signing)%20and%20I%20have%20no%20issues%2C%20even%20though%20the%20DCs%20are%20still%20set%20to%20None.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070349%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070349%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20--%20Most%20definitely%2C%20the%20plan%20is%20to%20get%20these%20features%20enabled%20however%20we%20haven't%20had%20another%20lead%20time%20to%20get%20the%20logging%20enabled%20and%20run%20down%20the%201000's%20of%20LDAP%20client%20apps%20we%20have.%20Its%20definitely%20on%20our%20radar.%20A%20couple%20of%20followups%201%20--%20Are%20you%20hinting%20that%20the%20updates%20might%20be%20pushed%20to%20March%20(would%20look%20at%20the%20official%20Advisory%20for%20this%20soon)%3F%202%20--%20For%20LDAP%20Clients...%20The%202020%20updates%20will%20NOT%20change%20the%20%22Negotiate%22%20to%20%22Required%22%3F%20or%20is%20it%20irrelevant%20if%20the%20DC%2FLDAP%20server%20side%20is%20set%20to%20%220%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070355%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070355%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%20--%20Thats%20what%20we%20have%20been%20testing%20but%20it%20looks%20like%20the%20behavior%20of%20%221%22%20or%20%22None%22%20changes%20with%20the%20updates.%20Check%20out%20Alan's%20updates%20in%20the%20main%20part%20of%20the%20thread.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070515%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070515%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20change%20in%20behavior%20that%20I%20see%20is%20in%20regards%20to%20Not%20Defined%20and%20None%20changing%20from%20the%20current%20Off%20to%20Required%20once%20the%20patch%20is%20released.%20(I%20believe%20this%20applies%20to%20both%20Server%20and%20Client%20side.)%20That%20is%20definitely%20important%20information%20to%20have%2C%20but%20it%20seems%20as%20though%20I'm%20simulating%20the%20changes%20that%20you%20asked%20about.%20If%20fact%2C%20I'm%20going%20beyond%20that%20by%20setting%20the%20clients%20to%202%20and%20leaving%20the%20DCs%20at%201.%20After%20the%20patch%2C%20this%20apparently%20will%20need%20to%20be%20changed%20to%200%20on%20the%20DCs.%20That%20seems%20to%20be%20the%20only%20thing%20I%20would%20have%20to%20do%20in%20order%20to%20be%20in%20the%20same%20state%20as%20my%20current%20test%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20I'm%20missing%20something%2C%20as%20I'm%20simply%20trying%20to%20understand%20this%20myself.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070451%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070451%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20policy%20%22%3CEM%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%22%3C%2FEM%3E%20contains%20only%20settings%20%22None%22%20and%20%22Require%20Signing%22.%20So%20if%20we%20need%20to%20set%20the%20policy%20to%20OFF%2C%20one%20of%20the%20way%20would%20be%20to%20set%20this%20setting%20in%20Group%20Policy%20to%20%22Not%20Defined%22%20and%20then%20specify%20the%20registry%20key%20in%20GP%20Preferences%2C%20with%20value%200%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20effect%20when%20LDAPServerIntegrity%3D0%2C%20if%20Client%20is%20configured%20to%20Require%20Signing%3F%20Will%20they%20not%20be%20able%20to%20communicate%2C%20or%20will%20Domain%20Controller%20accept%20signed%20traffic%2C%20even%20if%20signing%20is%20OFF%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrent%20description%20of%20this%20policy%20says%20that%20%22This%20setting%20does%20not%20have%20any%20impact%20on%20LDAP%20simple%20bind%20or%20LDAP%20simple%20bind%20through%20SSL.%22%20It%20would%20be%20nice%20if%20the%20description%20is%20corrected%20to%20match%20the%20information%20you%20provided.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20my%20previous%20commented%20been%20deleted%20for%20the%20red%20text%2C%20highlighting%20wrong%20description%20on%20GPO%3F%20Wow!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070541%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070541%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%20--%20I%20think%20we%20all%20are%20%3A)%3C%2Fimg%3E%20Basically%20you're%20saying%20as%20long%20as%20its%20off%20on%20the%20DC%20side%2C%20it%20doesn't%20matter%20what%20the%20client%20side%20is%20right%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070598%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070598%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20my%20take.%20For%20the%20time%20being%2C%20if%20your%20DCs%20are%20set%20to%20%22None%22%20in%20their%20GPO%20and%20if%20you%20set%20a%20test%20workstation%20GPO%20to%20Required%2C%20that%20will%20be%20a%20legitimate%20test%2C%20as%20far%20as%20I%20can%20tell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOf%20course%2C%20this%20brings%20up%20at%20least%20one%20more%20question.....Will%20there%20be%20additional%20settings%20in%20the%20GP%20Editor%20after%20the%20patch%3F%20Or%20will%20it%20require%20a%20Registry%20setting%20in%20Group%20Policy%20Preferences%2C%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%20mentioned%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071111%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071111%22%20slang%3D%22en-US%22%3EIt%20looks%20like%20the%20official%20advisory%20has%20been%20updated%20to%20March%202020%20now.%20--%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071555%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071555%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20policy%20%22%3C%2FSPAN%3E%3CEM%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%22%3C%2FEM%3E%3CSPAN%3E%26nbsp%3Bcontains%20only%20settings%20%22None%22%20and%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIf%20you%20need%20to%20set%20the%20policy%20to%20OFF%20you%20need%20to%20modify%20registry%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20registry%20there%20are%202%20settings%20for%20Ldap%20Signing%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDomain%20Controller%20side%20%3A%26nbsp%3BHKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CSTRONG%3ENTDS%3C%2FSTRONG%3E%5CParameters%26nbsp%3B%3CSTRONG%3E%26nbsp%3B--%26gt%3B%20LDAPServerIntegrity%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3D%200%20--%26gt%3B%20THIS%20means%20OFF%2C%20only%20ZERO%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EClient%2Fserver%20side%20%3A%26nbsp%3BHKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CSTRONG%3ELDAP%5C%3C%2FSTRONG%3EParameters%26nbsp%3B%3CSTRONG%3E%26nbsp%3B--%26gt%3B%20LDAPServerIntegrity%3D%201%20--%26gt%3B%20DON'T%20TOUCH%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%3C%2FP%3E%0A%3CP%3EZERO%20wont%20be%20changed%3C%2FP%3E%0A%3CP%3EONE%20will%20change%20to%20Required%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDon't%20go%20through%20the%20description%20in%20the%20policy%2C%20very%20confusing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40%20PFE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071610%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071610%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20is%20possible%20at%20all%2C%20I%20would%20really%20ask%20you%20to%20reconsider%20changing%20behaviour%20of%20ONE.%20Because%20this%20behaviour%20change%20will%20be%20disruptive%20for%2095%25%20of%20companies%20using%20AD%2C%20which%20is%20bigger%20than%20300%20people.%20Corporate%20IT%20people%20usually%20don't%20have%20competence%20to%20look%20that%20deep%20into%20AD%2C%20while%20bigger%20companies%20will%20have%20no%20option%2C%20rather%20than%20to%20turn%20off%20LDAP%20Signing%20completely%2C%20as%20the%20risk%20is%20too%20high%20(edit%3A%20because%20of%20the%20large%20amount%20of%203rd%20party%20applications).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPreparing%20for%20this%20change%20properly%20(Setting%20Domain%20Controller%20to%20Require%20Signing%20in%20advance%20with%20a%20controlled%20change)%2C%20monitoring%20unsigned%20LDAP%2C%20reconfiguring%20applications%20to%20use%20LDAP%20SSL%20for%20all%20our%20clients%20would%20probably%20take%205%20months%2C%20if%20we%20have%20good%20manning.%20It's%20going%20to%20cost%20millions%20of%20USD%20for%20large%20or%20medium%20service%20providers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072071%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072071%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20all%20of%20our%20LDAP%20clients%20are%20already%20using%20LDAPS%20(port%20636)%2C%20does%20this%20still%20apply%3F%3F%3C%2FP%3E%3CP%3EOr%20is%20all%20of%20this%20only%20necessary%20if%20you%20have%20basic%20LDAP%20clients%20(port%20389)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072110%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072110%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492744%22%20target%3D%22_blank%22%3E%40graberj%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162321i9ADF406945D6C21D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070638%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JANUARY%202020%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070638%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%20%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%3A%20I'm%20terribly%20sorry%2C%20but%20my%20test%20was%20wrong%2C%20as%20it%20was%20something%20wrong%20with%20the%20test%20server%2C%20before%20I%20started.%20Another%20server%20doesn't%20exhibit%20same%20issues.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRIKE%3EI%20just%20made%20a%20test%2C%20setting%20LdapServerIntegrity%20on%20Domain%20Controllers%20to%200%20and%20setting%20one%20of%20the%20client%20to%20%22Require%20Integrity%22.%20As%20a%20result%2C%20I%20get%20Event%20ID%201216%20on%20DC%3A%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSTRIKE%3EInternal%20event%3A%20An%20LDAP%20client%20connection%20was%20closed%20because%20of%20an%20error.%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRIKE%3EClient%20IP%3A%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3Exxx.xxx.xxx.xxx%3A55041%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRIKE%3EAdditional%20Data%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3EError%20value%3A%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3E1236%20The%20network%20connection%20was%20aborted%20by%20the%20local%20system.%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3EInternal%20ID%3A%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CSTRIKE%3Ec060420%3C%2FSTRIKE%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CSTRIKE%3EAfter%20restart%20on%20the%20client%3A%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSTRIKE%3ENetlogon%20EVENT%20ID%203210%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRIKE%3EThis%20computer%20could%20not%20authenticate%20with%20%5C%5C%3CDC%20fqdn%3D%22%22%3E%2C%20a%20Windows%20domain%20controller%20for%20domain%20%3CDOMAIN%20name%3D%22%22%3E%2C%20and%20therefore%20this%20computer%20might%20deny%20logon%20requests.%20This%20inability%20to%20authenticate%20might%20be%20caused%20by%20another%20computer%20on%20the%20same%20network%20using%20the%20same%20name%20or%20the%20password%20for%20this%20computer%20account%20is%20not%20recognized.%20If%20this%20message%20appears%20again%2C%20contact%20your%20system%20administrator.%3C%2FDOMAIN%3E%3C%2FDC%3E%3C%2FSTRIKE%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRIKE%3ESo%20that%20means%2C%20if%20Microsoft%20doesn't%20change%20behaviour%20of%20the%20%22OFF%22%20setting%2C%20we%20will%20have%20to%20turn%20off%20LDAP%20Signing%20for%20the%20whole%20domain%2C%20if%20we%20have%20even%20a%20single%20client%2C%20not%20supporting%20it.%20We%20will%20have%20to%20make%20sure%20all%20clients%20are%20configured%20to%20Negotiate%20signing%20also.%20Furthermore%2C%20we%20will%20have%20to%20do%20it%20before%20the%20update%2C%20otherwise%20systems%20will%20stop%20working%2C%20like%20VPN%2C%20Proxy%2C%20NAS%2C%20Linux%20systems%2C%20Network%20appliances%20and%20other%20stuff%2C%20like%20Java%20plug-ins%20connecting%20to%20AD.%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRIKE%3EAwesome%20Christmas%20present%2C%20thank%20you%2C%20Microsoft!%3C%2FSTRIKE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072163%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072163%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%2C%20but%20I%20don't%20understand%20that%20chart.%26nbsp%3B%20There%20are%20check%20marks%20under%20both%20columns%20which%20seems%20contradictory.%26nbsp%3B%20Can%20you%20just%20respond%20to%20my%20questions%20with%20specific%20answers%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072220%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20JAN%202020%20Updates%20now%20scheduled%20for%20March%2020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449180%22%20target%3D%22_blank%22%3E%40CFS3RD%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377753%22%20target%3D%22_blank%22%3E%40ChadWst%3C%2FA%3E%20%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20previous%20post%20with%20test%20results%20was%20wrong%2C%20I%20selected%20a%20test%20server%20which%20had%20some%20issues.%20Sorry%20for%20misleading.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20repeat%20the%20test%20with%20another%20server%20and%20it%20looks%20like%2C%20the%20behaviour%20of%20%3CSPAN%3E%3CSTRONG%3ELDAPServerIntegrity%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3D%200%3C%2FSTRONG%3E%3C%2FSPAN%3E%20is%20actually%20%22%3CSTRONG%3ENegotiate%3C%2FSTRONG%3E%22%20and%20not%20%22Disable%22.%20So%20if%20we%20set%20it%20to%200%20before%20the%20update%20arrives%2C%20there%20should%20be%20no%20consequence%20for%20the%20environment%2C%20after%20update.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20%2C%20could%20you%20please%20confirm%20that%20this%20is%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096556%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263812%22%20target%3D%22_blank%22%3E%40knppdmnq%3C%2FA%3E%26nbsp%3Bremember%20that%20the%20only%20way%20to%20disable%20LDAP%20Signing%20%22before%22%20installing%20March%20or%20later%20updates%2C%20is%20to%20set%20registry%20key%20%3D%200%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELDAPServerIntegrity%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3D%200%20%3C%2FSTRONG%3E(obviously%20not%20recommended)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096608%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096608%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263812%22%20target%3D%22_blank%22%3E%40knppdmnq%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EInitial%20article%20was%20updated%20with%20information%20that%20%3CFONT%20face%3D%22Calibri%22%3E%22LDAP%20server%20signing%20requirements%22%20set%20to%20%22None%22%3C%2FFONT%3E%20will%20effectively%20become%20%22Require%20Signing%22%20after%20the%20update.%20So%20in%20order%20to%20keep%20%22negotiate%22%20behaviour%2C%20you%20have%20to%20set%20registry%20key%20LDAPServerIntegrity%26nbsp%3Bto%200%2C%20while%20%22none%22%20sets%20this%20key%20to%201.%3C%2FP%3E%3CP%3ESorry%2C%20just%20noticed%20Alan%20has%20already%20answered%20it%20while%20I%20was%20replying.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096898%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096898%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3Bno%20problem%20thanks%20for%20answering%2C%20I'm%20glad%20to%20see%20how%20comments%20are%20helping%20others%2C%20GREAT!!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096907%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096907%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20all%20of%20our%20LDAP%20clients%20are%20already%20using%20LDAPS%20(port%20636)%2C%20does%20anything%20need%20to%20be%20changed%3F%3F%3C%2FP%3E%3CP%3EOr%20is%20all%20of%20this%20only%20necessary%20if%20you%20have%20basic%20LDAP%20clients%20(port%20389)%3F%3C%2FP%3E%3CP%3EThe%20chart%20in%20the%20docs%20don't%20really%20answer%20this%20question.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098427%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%26lt%3B%26lt%3B%20So%20in%20order%20to%20keep%20%22negotiate%22%20behaviour%2C%20you%20have%20to%20set%20registry%20key%20LDAPServerIntegrity%26nbsp%3Bto%200%2C%20while%20%22none%22%20sets%20this%20key%20to%201.%26gt%3B%26gt%3B%3C%2FP%3E%3CP%3EYes%2C%20admins%20have%20to%20make%20sure%20that%20the%20negotiate%20behavior%20works%20until%20every%20application%20and%20all%20systems%20are%20reconfigured.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20March%202020%20update%2C%20the%3CSTRONG%3E%20operating%20system%20itself%3C%2FSTRONG%3E%20will%20change%20the%20interpretation%20of%20the%20%22ldapserverintegrity%22%20registry%20key%20values%2C%20is%20that%20correct%20%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%2C%20you%20meant%20that%20the%20March%20update%20change%20the%20DDCP.%20This%20will%20not%20happen%20if%20the%20registry%20value%20for%20DCs%20is%20%220%22%2C%20is%20that%20correct%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVia%20GPO%20the%20setting%20can%20be%20configured%20to%20%22None%22%20(value%20%221%22)%20or%20%22Require%20signing%22%20(value%20%222%22).%20To%20make%20sure%20the%20value%20is%20%220%22%2C%20the%20LDAP%20server%20signing%20in%20GPO%20have%20to%20be%20changed%20to%20%22Not%20configure%22%20and%20set%20the%20registry%20manually%20(!)%20on%20all%20DCs.%20Is%20that%20correct%20%3F%3C%2FP%3E%3CP%3EIs%20there%20an%20ADMX%20update%20with%20March%20update%20to%20configure%20%22OFF%22%20via%20GPO%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098765%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098765%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492744%22%20target%3D%22_blank%22%3E%40graberj%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20that%20was%20my%20understanding%20and%20I%20have%20just%20confirmed%20it%20with%20ldp.exe%20.%20If%20you%20use%20LDAPS%20(TCP%2F636)%20then%20your%20traffic%20is%20considered%20as%20already%20signed%20and%20your%20environment%20will%20not%20be%20affected.%20Just%20remember%2C%20that%20there's%20also%20LDAP%20Global%20Catalogue%203268%20and%20LDAP%20GC%20SSL%203269.%20If%20you%20are%20using%20port%203268%2C%20it%20will%20be%20affected%20same%20as%20LDAP%20on%20port%20389.%20So%20I%20would%20recommend%20enabling%20diagnostic%20logging%20and%20make%20sure%20you%20get%20no%20events%202889.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263812%22%20target%3D%22_blank%22%3E%40knppdmnq%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20that%20is%20correct%2C%20based%20on%20what%20Alan%20has%20written%20in%20this%20article%2C%20the%20operating%20system%20will%20change%20the%20interpretation%20of%20%22ldapserverintegrity%22%3D%22None%22%20value.%20Today%20it%20is%20%22Negotiate%22%2C%20but%20will%20become%20%22Require%20signing%22.%3C%2FP%3E%3CP%3EDDCP%2C%20if%20you%20mean%20Default%20Domain%20Controllers%20policy%20will%20not%20be%20changed.%3C%2FP%3E%3CP%3EThis%20setting%20is%20a%20part%20of%20Security%20Settings%2C%20so%20it%20cannot%20come%20as%20update%20in%20ADMX%20template.%20It%20should%20be%20possible%20to%20create%20a%20custom%20ADMX%20template%20for%20this%20setting%2C%20but%20I%20would%20rather%20use%20GP%20Preferences%20and%20registry%20key.%20No%20need%20to%20do%20it%20manually.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099558%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099558%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B(or%20anyone)%20So%20if%20we%20know%20most%20of%20our%20LDAP%20traffic%20is%20over%20389%20and%20unsigned%2C%20and%20we%20can%20see%20the%20DC%20event%20logs%20showing%20that%20most%20requests%20in%20a%2024%20hour%20period%20are%20unsigned%2C%20and%20it's%20completely%20unrealistic%20to%20move%20all%20these%20apps%20over%20to%20signed%20LDAP%20by%20March%202020%2C%20is%20our%20only%20option%20to%20set%26nbsp%3B%3CSTRONG%3ELDAPServerIntegrity%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3D%200%20%3C%2FSTRONG%3Eto%20continue%20as%20normal%20until%20we%20can%20attempt%20a%20more%20measured%20approach%20towards%20moving%203rd%20party%20applications%20to%20signed%20LDAP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20looking%20for%20confirmation%20that%20I've%20read%20and%20understood%20everything%20correctly--%20this%20is%20all%20fairly%20deep%2Fdense%20information%20for%20someone%20not%20intimately%20familiar%20with%20LDAP.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101081%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101081%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F512281%22%20target%3D%22_blank%22%3E%40JMHahn%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20you%20write%20is%20exactly%20what%20we%20are%20planning%20to%20do%20for%20our%20customers.%20Alternative%20to%20this%20will%20be%20to%20postpone%20patching%2C%20which%20we%20might%20be%20forced%20to%20do%20if%20we%20don't%20manage%20to%20distribute%20this%20setting%20to%20few%20hundreds%20of%20domains%20before%20mid-March.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20was%20a%20suggestion%20from%20a%20colleague%20of%20mine%2C%20to%20set%20LDAPServerIntegrity%3D0%20on%20only%20one%20or%20two%20DCs%2C%20leaving%20the%20rest%20with%20more%20secure%20settings.%20Although%2C%20I%20don't%20see%20a%20big%20benefit%20in%20doing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101212%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101212%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20article%20states%3A%26nbsp%3BYou%20need%20to%20have%20this%26nbsp%3BCVE-2017-8563%26nbsp%3Binstalled%20on%20your%26nbsp%3Bclients%26nbsp%3Bas%20a%20prerequisite%26nbsp%3Bbefore%20enabling%20LDAP%20Channel%20Binding%20and%20LDAP%20Integrity%20on%20DCs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cant%20find%20the%20patch%20for%20Windows%2010%201809.%20Does%20this%20version%20of%20Windows%2010%20already%20have%20the%20patch%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096532%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096532%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E!!!%20Updated%20!!!%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThanks%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20a%20certain%20way%20i%20agree%20with%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F470948%22%20target%3D%22_blank%22%3E%40BBCMicro%3C%2FA%3E.%20It%20takes%20a%20while%20to%20understand%20what%20an%20admin%20have%20to%20do%20to%20prepare%20for%20the%20update.%20I'm%20wondering%20that%20MS%20will%20enforce%20LDAP%20signing%20which%20could%20cause%20applications%20stop%20working.%26nbsp%3BBut%20it's%20true%2C%20LDAP%20without%20signing%20should%20be%20switched%20off%20long%20ago.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22Calibri%22%3E%3CFONT%20size%3D%224%22%3EMy%20suggestion%20for%20this%20issue%20(check%20it%20yourself%20!)%3A%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EIgnore%20LDAP%20channel%20binding%20token%20(LDAP%20CBT)%20stuff%3A%20The%20setting%20in%20March%202020%20update%20will%20be%20%22compatibility%20mode%22.%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWith%20March%202020%20update%2C%20the%20operating%20system%20itself%20will%20change%20the%20interpretation%20of%20the%20%22ldapserverintegrity%22%20registry%20key%20value.%3C%2FSPAN%3E%3CUL%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3EWithout%20the%20March%202020%20update%2C%20%22not%20defined%22%2C%20%220%22%20and%20%221%22%20means%20%22Negotiate%22%3B%20%222%22%20means%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3EWith%20the%20March%202020%20update%2C%20%220%22%20means%20%22Negotiate%22%3B%20%22not%20defined%22%2C%20%221%22%20and%20%222%22%20means%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3E%220%22%20can%20not%20be%20set%20via%20GPO%20security%20setting%20%22LDAP%20server%20signing%20requirements%22%20(%22None%22%20%3D%20%221%22%2C%20%22Require%20signing%22%20%3D%202)%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EIf%20LDAP%20server%20is%20set%20to%20require%20signing%2C%20the%20LDAP%20client%20setting%20of%20all%20clients%20and%20the%20DCs%20itself%20must%20be%20set%20to%20require%20signing.%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EWith%20rsop.msc%20or%20gpresult%2C%20check%20the%20DC%20effective%20settings%20for%20%22Computer%20Configuration%2FWindows%20Settings%2FSecurity%20Settings%2FLocal%20Policies%2FSecurity%20Options%2FDomain%20Controller%3A%20LDAP%20server%20signing%20requirements%22%3C%2FFONT%3E%3CUL%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EIf%20%22Require%20signature%22%20%3D%26gt%3B%20all%20done%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EIf%20%22None%22%3C%2FFONT%3E%3CUL%3E%3CLI%3E%26nbsp%3BStart%20analyzing%20LDAP%20clients%20NOW%3CUL%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3ECheck%20DC%20Eventlogs%20for%20Event%20ID%202887%20(once%20per%2024%20hours)%3B%20it%20indicates%20that%20there%20are%20unsigned%20requests%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3EStart%20with%20temporary%20enabling%20NTDS%2FDiagnostics%3A%20LDAP%20Interface%20Events%3ADWORD%3A2%20on%20a%20few%20DCs%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3EUse%20Powershell%20to%20analyze%20the%20DC%20events%202889%20(see%20Alans%20post%20%E2%80%8E12-16-2019%2005%3A59%20AM%20as%20template)%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3ECreate%20a%20new%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%20with%20Preference%2FRegistry%20%22ldapserverintegrity%22%20set%20to%20%220%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3ELink%20the%20new%20GPO%20to%20the%20OU%20%22Domain%20Controllers%22%20(or%20the%20OU%20where%20the%20DC%20computer%20objects%20reside)%20with%20Link%20Order%20%221%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3EDo%20%22gpupdate%20%2Fforce%22%20two%20times%20on%20a%20DC%20and%20check%20that%20the%20new%20GPO%20is%20applied%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3ECheck%20that%20all%20DCs%20has%20%22ldapserverintegrity%22%20set%20to%20%220%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3D%3D%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E%20prepared%20for%20the%20March%202020%20update%2C%20Negotiate%20enabled%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EIf%20ready%20to%20enable%20LDAP%20signing%3C%2FFONT%3E%3CUL%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20that%20the%20original%20DDCP%20(or%20your%20own%20DDCP)%20has%20%22LDAP%20server%20signing%20requirements%22%20set%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20that%20the%20original%20DDCP%20(or%20your%20own%20DDCP)%20has%20%22Network%20security%3A%20LDAP%20client%20signing%20requirements%22%20set%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EConfigure%20GPOs%20for%20Domain%20members%20to%20%22Require%20signing%22%20(Network%20security%3A%20LDAP%20client%20signing%20requirements)%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20that%20all%20clients%20works%20wih%20LDAP%20signing%20(Event%202887)%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EDisable%20the%20link%20for%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EDo%20a%20%22gpupdate%20%2Fforce%22%20on%20an%20DC%20and%20check%20that%20the%20LDAP%20server%20signing%20has%20changed%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20that%20all%20DCs%20has%20%22ldapserverintegrity%22%20set%20to%20%222%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3ECheck%20for%20problems%3B%20rollback%20with%20linking%20the%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%20with%20Link%20Order%20%221%22%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3EAfter%20a%20couple%20of%20weeks%2C%20if%20all%20works%20fine%2C%20delete%20the%20GPO%26nbsp%3B%20%22DC%20LDAP%20Signing%20None%22%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%20size%3D%224%22%3EAfter%20March%202020%20update%3C%2FFONT%3E%3CUL%3E%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%3ECheck%20to%20update%20the%20Central%20Store%3B%20LDAP%20CBT%20settings%20may%20become%20available%20for%20configuring%20in%20GPMC%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20face%3D%22Calibri%22%3Edecide%20whether%20LDAP%20CBT%20compatibility%20is%20secure%20enough%3B%20otherwise%20use%20LDAP%20Interface%20Events%20to%20analyze%20DS%20events%203039%2C3040%20and%20take%20further%20action%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EDon't%20forget%20AD%20LDS%3A%20LDAP%20server%20signing%20have%20to%20be%20configured%20for%20every%20instance%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FA%3E)%20By%20default%2C%20for%20Active%20Directory%20Lightweight%20Directory%20Services%20(AD%20LDS)%2C%20the%20registry%20key%20is%20not%20available.%20Therefore%2C%20you%20must%20create%20a%20LDAPServerIntegrity%20registry%20entry%20of%20the%20REG_DWORD%20type%20under%20the%20following%20registry%20subkey%3A%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CINSTANCENAME%3E%5CParameters%3C%2FINSTANCENAME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101329%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101329%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%20updated%20my%20post%20from%2001-08-20.%20Thanks%20for%20support.%3C%2FP%3E%3CP%3E%3CFONT%3EI%20hope%20I%20have%20described%20everything%20correctly%20and%20others%20can%20use%20it%20as%20a%20template%20to%20deal%20with%20this%20topic.%20Good%20luck%20in%20march.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101401%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101401%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3BYou%20would%20definitely%20want%20to%20know%20which%20DCs%20receive%20normal%20389%20LDAP%20authentication%20request%20from%20third-party%20applications%20before%20you%20decide%20which%20DC%20to%20include%2Fexclude.%20This%20wouldn't%20be%20difficult%20via%20the%20event%20logs%2C%20but%20you%20would%20want%20to%20quadruple%20check%20everything.%20The%20benefit%20is%20that%20you'd%20have%20a%20%22patched%22%20DC%20of%20which%20to%20direct%20third%20party%20apps%20once%20you%20enable%20signed%20LDAP%20for%20testing.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20feel%20like%20this%20is%20a%20good%20answer%20to%20client-to-DC%20LDAP%20authentication%20requests%2C%20and%20it's%20Microsoft's%20intention%20to%20keep%20this%20traffic%20secure--%20but%20I%20every%20time%20I%20think%20about%20this%20patch%2Fchange%20I%20feel%20it's%20going%20to%20be%20an%20unmitigated%20disaster%20for%20companies%2C%20schools%20and%20organizations%20which%20don't%20have%20the%20expertise%20or%20haven't%20read%20the%20advisory.%20I%20have%20a%20good%20working%20knowledge%20of%20several%20small-to-large%20companies%20who%20have%20countless%20third%20party%20applications%20and%20homegrown%20apps%20that%20utilize%20vanilla%20LDAP%20authentication%20which%20would%20break%20overnight%20after%20this%20March%20patch.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20step%20pretty%20lightly%20where%20DCs%20are%20concerned.%20It%20would%20be%20nice%20to%20have%20comprehensive%20explanations%20and%20documentation%20as%20to%20these%20settings%20before%20Microsoft%20simply%20releases%20it%20to%20the%20wild.%20In%202%20months%20we're%20going%20to%20be%20installing%20these%20patches%20to%20maintain%20compliance%20and%20for%20a%20lot%20of%20people%20that's%20only%201-2%20maintenance%20windows%20of%20availability%20of%20which%20to%20implement%20change.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20had%20an%20advisory%20ticket%20open%20with%20the%20Directory%20Services%20support%20and%20for%202-3%20days%20I've%20only%20gotten%20the%20response%2C%20%22We%20have%20very%20little%20information%20on%20this%20internally%2C%20I'm%20researching%20this%20for%20you.%22%20This%20seems%20like%20the%20sort%20of%20thing%20you'd%20be%20training%20and%20prepared%20for%20well%20in%20advance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101447%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101447%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F512281%22%20target%3D%22_blank%22%3E%40JMHahn%3C%2FA%3Every%20good%20words%20!%20It%20is%20very%20confusing%20changing%20the%20interpretation%20of%20a%20registry%20key%20with%20an%20update%2C%20which%20will%20result%20in%20a%20wrong%20description%20in%20the%20Group%20Policy%20explanation.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101479%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F512281%22%20target%3D%22_blank%22%3E%40JMHahn%3C%2FA%3EWe%20have%20several%20hundreds%20of%20domains%2C%20with%20some%20customers%20having%20hundreds%20of%20third-party%20applications%2C%20many%20of%20which%20are%20using%20LDAP.%20I%20did%20monitoring%20for%20one%20of%20the%20customer%20and%20have%20got%20the%20following%20list%20of%20applications%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAirwatch%3CBR%20%2F%3EJira%3C%2FP%3E%3CP%3EWebproxy%3C%2FP%3E%3CP%3EApp%20for%202-factor%20authentication%3C%2FP%3E%3CP%3EVPN%3C%2FP%3E%3CP%3EIdentity%20synchronization%20software%3C%2FP%3E%3CP%3ESoftware%20used%20by%20Sales%3C%2FP%3E%3CP%3ECalendar%20synchronization%3C%2FP%3E%3CP%3EJava%20application%2C%20which%20is%20using%20custom%20AD%20plugin%3C%2FP%3E%3CP%3ELinux%20servers%2C%20integrated%20with%20AD%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20of%20course%2C%20there%20were%20some%20traffic%20that%20wasn't%20immediately%20possible%20to%20connect%20with%20application%2C%20for%20which%20further%20analysis%20is%20necessary.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20agree%2C%20this%20is%20going%20to%20be%20a%20disaster.%20I%20really%20hope%20Microsoft%20has%20a%20really%20strong%20reason%20for%20doing%20such%20change%2C%20which%20they%20will%20reveal%20later.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101611%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101611%22%20slang%3D%22en-US%22%3E%3CP%3EDon't%20know%20why%2C%20but%20the%20post%20from%2001-08-2020%20is%20gone.%3C%2FP%3E%3CP%3EMy%20summary%20and%20suggestion%20for%20this%20issue%20(check%20it%20yourself%20!)%3B%26nbsp%3B%3CFONT%3EI%20hope%20I%20have%20described%20everything%20correctly%20and%20others%20can%20use%20it%20as%20a%20template%20to%20deal%20with%20this%20topic.%20Good%20luck%20in%20march.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3EIgnore%20LDAP%20channel%20binding%20token%20(LDAP%20CBT)%20stuff%3A%20The%20setting%20in%20March%202020%20update%20will%20be%20%22compatibility%20mode%22.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWith%20March%202020%20update%2C%20the%20operating%20system%20itself%20will%20change%20the%20interpretation%20of%20the%20%22ldapserverintegrity%22%20registry%20key%20value.%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3EWithout%20the%20March%202020%20update%2C%20%22not%20defined%22%2C%20%220%22%20and%20%221%22%20means%20%22Negotiate%22%3B%20%222%22%20means%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWith%20the%20March%202020%20update%2C%20%220%22%20means%20%22Negotiate%22%3B%20%22not%20defined%22%2C%20%221%22%20and%20%222%22%20means%20%22Require%20Signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%220%22%20can%20not%20be%20set%20via%20GPO%20security%20setting%20%22LDAP%20server%20signing%20requirements%22%20(%22None%22%20%3D%20%221%22%2C%20%22Require%20signing%22%20%3D%202)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EIf%20LDAP%20server%20is%20set%20to%20require%20signing%2C%20the%20LDAP%20client%20setting%20of%20all%20clients%20and%20the%20DCs%20itself%20must%20be%20set%20to%20require%20signing.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3E%3CSPAN%3EWith%20rsop.msc%20or%20gpresult%2C%20check%20the%20DC%20effective%20settings%20for%20%22Computer%20Configuration%2FWindows%20Settings%2FSecurity%20Settings%2FLocal%20Policies%2FSecurity%20Options%2FDomain%20Controller%3A%20LDAP%20server%20signing%20requirements%22%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3EIf%20%22Require%20signature%22%20%3D%26gt%3B%20all%20done%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EIf%20%22None%22%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3E%26nbsp%3BStart%20analyzing%20LDAP%20clients%20NOW%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3ECheck%20DC%20Eventlogs%20for%20Event%20ID%202887%20(once%20per%2024%20hours)%3B%20it%20indicates%20that%20there%20are%20unsigned%20requests%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EStart%20with%20temporary%20enabling%20NTDS%2FDiagnostics%3A%20LDAP%20Interface%20Events%3ADWORD%3A2%20on%20a%20few%20DCs%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EUse%20Powershell%20to%20analyze%20the%20DC%20events%202889%20(see%20Alans%20post%20%E2%80%8E12-16-2019%2005%3A59%20AM%20as%20template)%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3E%3CSPAN%3ECreate%20a%20new%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%20with%20Preference%2FRegistry%20%22ldapserverintegrity%22%20set%20to%20%220%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ELink%20the%20new%20GPO%20to%20the%20OU%20%22Domain%20Controllers%22%20(or%20the%20OU%20where%20the%20DC%20computer%20objects%20reside)%20with%20Link%20Order%20%221%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EDo%20%22gpupdate%20%2Fforce%22%20two%20times%20on%20a%20DC%20and%20check%20that%20the%20new%20GPO%20is%20applied%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20that%20all%20DCs%20has%20%22ldapserverintegrity%22%20set%20to%20%220%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3D%3D%26gt%3B%20prepared%20for%20the%20March%202020%20update%2C%20Negotiate%20enabled%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3CLI%3E%3CSPAN%3EAfter%20March%202020%20update%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3ECheck%20to%20update%20the%20Central%20Store%3B%20LDAP%20CBT%20settings%20may%20become%20available%20for%20configuring%20in%20GPMC%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3Edecide%20whether%20LDAP%20CBT%20compatibility%20is%20secure%20enough%3B%20otherwise%20use%20LDAP%20Interface%20Events%20to%20analyze%20DS%20events%203039%2C3040%20and%20take%20further%20action%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3E%3CSPAN%3EIf%20ready%20to%20enable%20LDAP%20signing%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3ECheck%20that%20the%20original%20DDCP%20(or%20your%20own%20DDCP)%20has%20%22LDAP%20server%20signing%20requirements%22%20set%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20that%20the%20original%20DDCP%20(or%20your%20own%20DDCP)%20has%20%22Network%20security%3A%20LDAP%20client%20signing%20requirements%22%20set%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EConfigure%20GPOs%20for%20Domain%20members%20to%20%22Require%20signing%22%20(Network%20security%3A%20LDAP%20client%20signing%20requirements)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20that%20all%20clients%20works%20wih%20LDAP%20signing%20(Event%202887)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EDisable%20the%20link%20for%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EDo%20a%20%22gpupdate%20%2Fforce%22%20on%20an%20DC%20and%20check%20that%20the%20LDAP%20server%20signing%20has%20changed%20to%26nbsp%3B%20%22Require%20signing%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20that%20all%20DCs%20has%20%22ldapserverintegrity%22%20set%20to%20%222%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECheck%20for%20problems%3B%20rollback%20with%20linking%20the%20GPO%20%22DC%20Pref%20LDAP%20Signing%20None%22%20with%20Link%20Order%20%221%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EAfter%20a%20couple%20of%20weeks%2C%20if%20all%20works%20fine%2C%20delete%20the%20GPO%26nbsp%3B%20%22DC%20Pref%20LDAP%20Signing%20None%22%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDon't%20forget%20AD%20LDS%3A%20LDAP%20server%20signing%20have%20to%20be%20configured%20for%20every%20instance%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FA%3E)%20By%20default%2C%20for%20Active%20Directory%20Lightweight%20Directory%20Services%20(AD%20LDS)%2C%20the%20registry%20key%20is%20not%20available.%20Therefore%2C%20you%20must%20create%20a%20LDAPServerIntegrity%20registry%20entry%20of%20the%20REG_DWORD%20type%20under%20the%20following%20registry%20subkey%3A%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CINSTANCENAME%3E%5CParameters%3C%2FINSTANCENAME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1103708%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1103708%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECan%20you%20please%20clarify%20what%20effect%20this%20update%20will%20have%20on%20Ldap%20CLIENT%20signing%20(LdapClientIntegrity)%2C%20specifically%20if%20it's%20currently%20set%20to%20negotiate%3F%20We%20are%20successfully%26nbsp%3Busing%20the%20following%20settings%20without%20any%20problems%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3E%3CU%3EDCs%3C%2FU%3E%26nbsp%3B%3D%20policy%20%22%3C%2FSPAN%3E%3CSPAN%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%22%20%3D%3C%2FSPAN%3ERequire%20Signing%26nbsp%3B%20(%3CSPAN%3ELdapServerIntegrity%20%3D2)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%3CU%3EServers%2FClients%3C%2FU%3E%26nbsp%3B%3D%20policy%20%22%3C%2FSPAN%3E%3CSPAN%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirements%20%3D%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%3E%26nbsp%3BNegotiate%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%20(LdapClientIntegrity%20%3D%201)%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EIt%20seems%20based%20on%20the%20information%20provided%20that%20the%20update%20will%20only%20change%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ELdapServerIntegrity%20and%26nbsp%3B%3C%2FSPAN%3E%3CFONT%20size%3D%223%22%3ELdapEnforceChannelBinding.%20But%20it%20is%20still%20mentioned%20to%20change%26nbsp%3B%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20size%3D%223%22%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirement%20to%20Require%20Signing.%20Is%20this%20actually%20necessary%20since%20client%20negotiation%20(which%20still%20provides%20LDAP%20signing)%20is%20the%20default%20anyways%20on%20modern%20Windows%20versions%3F%20Will%20we%20see%20any%20impact%20from%20this%20update%20for%20Windows%20clients%20if%20we%20keep%20LDAP%20server%20signing%20to%20required%20and%20LDAP%20client%20signing%20to%20negotiate%3F%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1118721%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1118721%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3ECould%20you%20please%20share%20some%20more%20information%20on%20the%20coming%20update%2C%20so%20that%20we%20can%20prepare%20in%20a%20better%20way%3F%3C%2FP%3E%3CUL%3E%3CLI%3EWill%20this%20update%20apply%20for%202008%20Server%20family%3F%20It%20is%20now%20outside%20the%20extended%20support%20cycle%2C%20so%20are%20you%20planning%20to%20skip%20it%20or%20not%3F%3C%2FLI%3E%3CLI%3EHow%20this%20update%20will%20be%20distributed%20to%20different%20systems%3F%20E.g.%20for%20Server%202016%20and%202019%2C%20will%20it%20be%20a%20part%20of%20monthly%20cumulative%20patch%2C%20or%20it%20will%20be%20a%20separate%20update%3F%20Same%20for%202012%20and%20eventually%202008%20-%20will%20it%20be%20a%20separate%20patch%2C%20or%20part%20of%20roll-up%3F%3C%2FLI%3E%3CLI%3EHow%20big%20are%20chances%20that%20Microsoft%20will%20reconsider%20changing%20default%20behavior%20of%20LDAP%20Server%20Signing%3F%20We%20are%20starting%20a%20huge%20project%20to%20make%20sure%20our%20customers%20don't%20get%20in%20trouble%20in%20March%2C%20but%20we%20all%20know%20that%20there%20are%20a%20lot%20of%20poorly%20maintained%20environments%2C%20which%20will%20have%20issues.%20For%20many%20people%2C%20it's%20hard%20to%20believe%20that%20MS%20will%20really%20enforce%20signing%2C%20as%20this%20could%20have%20huge%20impact%20on%20so%20many%20systems.%20And%20yes%2C%20of%20course%2C%20signing%20had%20to%20be%20enabled%20long%20time%20ago%2C%20but%20in%20many%20cases%2C%20there%20are%20valid%20reasons%20why%20it%20hasn't%20been%20done%20yet.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1118778%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1118778%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20exactly%20is%20LDAP%20channel%20binding.%20I've%20yet%20to%20see%20an%20actual%20technical%20description%20of%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119412%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119412%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526059%22%20target%3D%22_blank%22%3E%40jpenning%3C%2FA%3E%26nbsp%3Bgood%20question%2C%20first%20it%20relates%20to%20TLS.%3C%2FP%3E%0A%3CP%3ETo%20make%20it%20simple%2C%20an%20example%20could%20be%20the%20following%3A%3C%2FP%3E%0A%3CP%3EClient-A%20connects%20to%20Server-A%20via%20TLS%20%22TLS%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20connection%22.%20Without%20CBT%20there%20is%20a%20chance%20of%20man-in-the-middle%20grabbing%20this%20session%20and%20using%20%22TLS%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20connection%22%20to%20Server-A%20successfully.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20CBT%20information%20sent%20in%20the%20request%2C%20Client-A%20connects%20to%20Server-A%20via%20TLS%20%22TLS%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20connection%22%2C%20man-in-the-middle%20grabs%20the%20session%20and%20makes%20connection%20to%20Server-B%20but%20this%20time%20it%20will%20be%20a%26nbsp%3B%22TLS%20%3CSTRONG%3E2%3C%2FSTRONG%3E%20connection%22%20which%20will%20fail%20as%20Server-A%20expects%26nbsp%3B%22TLS%20%3CSTRONG%3E1%3C%2FSTRONG%3E%20connection%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40%20PFE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-921536%22%20slang%3D%22en-US%22%3ELDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921536%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EHi%20All%2C%20Alan%20here%20again%2C%20this%20time%20trying%20to%20give%20some%20details%20on%20these%20two%20settings%20that%20will%20become%20active%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Efrom%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3BMarch%202020%20and%20they%20are%20creating%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Esome%20misunderstandings%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELet%E2%80%99s%20start%20saying%20that%20since%20Windows%20Server%202008%20we%20have%20events%202886%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C2887%2C2888%20and%202889%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Blogged%20every%2024%20hours%20on%20the%20Directory%20Services%20log%20that%20tells%20us%20we%20are%20using%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethese%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eunsecure%20protocols%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22text-align%3A%20center%3B%22%3E%3CEM%3EThis%20information%20is%20preliminary%20and%20is%20subject%20to%20revision.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EThis%20article%20is%20a%20living%20document%2C%20written%20%3C%2FEM%3E%3CEM%3Eover%20time%20and%20is%20subject%20to%20change.%20When%20guidance%20presented%20in%26nbsp%3B%3C%2FEM%3E%3CEM%3Ethis%20article%20is%20in%20direct%20conflict%20with%20official%20documentation%2C%26nbsp%3B%3C%2FEM%3E%3CEM%3Eone%20must%20defer%20to%20official%20documentation.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%3CSTRONG%3EAUDITING%20LDAP%20Signing%3C%2FSTRONG%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2886%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ET%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eelling%20us%20that%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eour%20DCs%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eare%20not%20r%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eequir%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eing%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BLDAP%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bsigning%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941829(v%3Dws.10)%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941829(v%3Dws.10)%3Fredirectedfrom%3DMSDN%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2887%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(already%20on%20by%20default%20and%20logged%20every%2024%20hours)%3C%2FSPAN%3E%3C%2FI%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ET%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eelling%20us%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehow%20many%20such%20bind%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Boccurred%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941856(v%3Dws.10)%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fdd941856(v%3Dws.10)%3Fredirectedfrom%3DMSDN%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20suggested%20path%20to%20resolve%20this%20error%20is%20do%20modify%20the%20registry%20of%20the%20DC%20to%20allow%20it%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elog%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthose%20failures.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERegistry%20to%20add%3A%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3C%2FI%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EReg%20Add%20HKLM%5CSYSTEM%5C%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECurrentControlSet%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%5CServices%5CNTDS%5CDiagnostics%20%2Fv%20%2216%20LDAP%20Interface%20Events%22%20%2Ft%20REG_DWORD%20%2Fd%202%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%AF%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6%E2%80%A6..%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20the%20registry%20key%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2216%20LDAP%20Interface%20Events%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%20configured%20we%20will%20have%20event%202889%20telling%20us%20who%20is%20using%20this%20type%20of%20unsecure%20protocol%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2889%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%20Event%20ID%20you%20want%20to%20check%20in%20order%20to%20understand%20which%20IP%20Address%20and%20Accounts%20are%20making%20these%20requests.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20you%20open%20Event%202889%20in%20Details%20you%20will%20have%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%3E%3CSTRONG%3EClient%20IP%20address%3C%2FSTRONG%3E%3A%20%E2%80%9CValue%E2%80%9D%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%3CSTRONG%3EIdentity%20the%20client%20attempted%20to%20authenticate%20as%3C%2FSTRONG%3E%3A%20%E2%80%9CValue%E2%80%9D%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2888%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20the%20directory%20server%20is%20configured%20to%20reject%20unsigned%20SASL%20LDAP%20binds%20or%20LDAP%20simple%20binds%20over%20a%20non-SSL%2FTLS%20connection%2C%20the%20directory%20server%20will%20log%20a%20summary%20event%202888%20one%20time%20every%2024%20hours%20when%20such%20bind%20attempts%20occur.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAUDITING%20LDAP%20Channel%20Binding%20%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELogging%20of%20LDAP%20Binds%20Not%20Using%20CBT%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%20these%20events%20will%20only%20be%20logged%20once%20the%20update%20is%20installed%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESame%20registry%20key%20as%20for%20LDAP%20Signing%2C%20so%26nbsp%3B%3CI%3E%2216%20LDAP%20Interface%20Events%20%3D%202%3C%2FI%3E%3CI%3E%E2%80%AF%22%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CI%3EEventID%203039%20Informational%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%3CI%3EEventID%203040%20Informational%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSTRONG%3ECHANGES%20%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CU%3E%3CSTRONG%3EVery%20important%20NOTE%3A%3C%2FSTRONG%3E%3C%2FU%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20need%20to%20have%20this%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECVE-2017-8563%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Einstalled%20on%20your%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eclients%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eas%20a%20prerequisite%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bbefore%20enabling%20LDAP%20Channel%20Binding%20and%20LDAP%20Integrity%20on%20DCs%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559738%26quot%3B%3A60%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A324%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559738%26quot%3B%3A60%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A324%7D%22%3EADV190023%20%7C%20Microsoft%20Guidance%20for%20Enabling%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190023%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECVE-2017-8563%20%7C%20Windows%20Elevation%20of%20Privilege%20Vulnerability%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E(REQUIRED)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559738%26quot%3B%3A60%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A324%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EAn%20elevation%20of%20privilege%20vulnerability%20exists%20in%20Microsoft%20Windows%20when%20a%20man-in-the-middle%20attacker%20is%20able%20to%20successfully%20forward%20an%20authentication%20request%20to%20a%20Windows%20LDAP%20server%2C%20such%20as%20a%20system%20running%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20or%20Active%20Directory%20Lightweight%20Directory%20Services%20(AD%20LDS)%2C%20which%20has%20been%20configured%20to%20require%20signing%20or%20sealing%20on%20incoming%20connections.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20update%20addresses%20this%20vulnerability%20by%20incorporating%20support%20for%20Extended%20Protection%20for%20Authentication%20security%20feature%2C%20which%20allows%20the%20LDAP%20server%20to%20detect%20and%20block%20such%20forwarded%20authentication%20requests%20once%20enabled.%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A270%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMain%20thing%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Epoint%20out%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewhich%20values%20will%20these%20settings%20have%20once%20the%20March%202020%20update%20rolls%20out%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHere%20they%20are%3A%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELDAP%20Channel%20Binding%20%3D%201%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B(after%20update)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAD%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B-%20HKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CServices%5CNTDS%5CParameters%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EADLDS%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B-%20HKEY_LOCAL_MACHINE%5CSYSTEM%5C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ECurrentControlSet%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5CServices%5C%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CLDS%20instance%3D%22%22%20name%3D%22%22%3E%3C%2FLDS%3E%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5CParameters%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CU%3E%3CSTRONG%3Evalue%3A%3C%2FSTRONG%3E%E2%80%AF%3CSTRONG%3E1%3C%2FSTRONG%3E%3C%2FU%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFindicates%E2%80%AF%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3Eenabled%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20when%20supported.%20All%20clients%20that%20are%20running%20on%20a%20version%20of%20Windows%20that%20has%20been%20updated%20to%20support%20channel%20binding%20tokens%20(CBT)%20must%20provide%20channel%20binding%20information%20to%20the%20server.%20Clients%20that%20are%20running%20a%20version%20of%20Windows%20that%20has%20not%20been%20updated%20to%20support%20CBT%20do%20not%20have%20to%20do%20so.%20This%20is%20an%20intermediate%20option%20that%20allows%20for%20application%20compatibility.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20aria-setsize%3D%22-1%22%20data-aria-level%3D%222%22%20data-aria-posinset%3D%221%22%20data-listid%3D%2220%22%20data-font%3D%22Courier%20New%22%20data-leveltext%3D%22o%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELDAP%20Server%20Integrity%20(signing)%20%3D%20enabled%20by%20default%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B(after%20update)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F935834%2Fhow-to-enable-ldap-signing-in-windows-server-2008%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20want%20to%20note%20that%20this%20article%20shows%20two%20sections%20related%20to%26nbsp%3B%3CU%3Eserver%3C%2FU%3E%20and%20%3CU%3Eclient%2C%3C%2FU%3E%26nbsp%3Bthat%20need%20to%20be%20configured%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20How%20to%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eserver%20LDAP%20signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequirement%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A1440%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A480%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20How%20to%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eclient%20LDAP%20signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequirement%20through%20a%20domain%20Group%20Policy%20Object%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A1440%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A480%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EImportant%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ENotes%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20Before%20you%20enable%20this%20setting%20on%20a%20Domain%20Controller%2C%20clients%20must%20install%20the%20security%20update%20that%20is%20described%20in%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2017-8563%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%20Otherwise%2C%20compatibility%20issues%20may%20arise%2C%20and%20LDAP%20authentication%20requests%20over%20SSL%2FTLS%20that%20previously%20worked%20may%20no%20longer%20work.%20By%20default%2C%20this%20setting%20is%20disabled.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20The%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBindings%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bregistry%20entry%20must%20be%20explicitly%20created.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%20LDAP%20server%20responds%20dynamically%20to%20changes%20to%20this%20registry%20entry.%20Therefore%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eyou%20do%20not%20have%20to%20restart%20the%20computer%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bafter%20you%20apply%20the%20registry%20change.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A120%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%2C%26quot%3B469777462%26quot%3B%3A%5B720%2C960%5D%2C%26quot%3B469777927%26quot%3B%3A%5B0%2C0%5D%2C%26quot%3B469777928%26quot%3B%3A%5B0%2C8%5D%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ETo%20maximize%20compatibility%20with%20older%20operating%20system%20versions%20(Windows%20Server%202008%20and%20earlier%20versions)%2C%20we%20recommend%20that%20you%20enable%20this%20setting%20with%20a%20value%20of%E2%80%AF%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E1%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CFONT%20color%3D%22%23ff0000%22%3ETo%20explicitly%20disable%20the%20setting%3C%2FFONT%3E%2C%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBinding%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bentry%20to%E2%80%AF%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E0%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AF(zero).%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EWindows%20Server%202008%20and%20older%20systems%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brequire%20that%20Microsoft%20Security%20Advisory%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Flibrary%2Fsecurity%2F973811%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E973811%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20available%20in%20%E2%80%9CKB%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F968389%2Fextended-protection-for-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E968389%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFExtended%20Protection%20for%20Authentication%E2%80%9D%2C%20be%20installed%20before%20installing%20CVE-2017-8563.%E2%80%AF%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EIf%20you%20install%E2%80%AFCVE-2017-8563%20without%20KB%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F968389%2Fextended-protection-for-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E968389%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFon%20a%20Domain%20controller%20or%20AD%20LDS%20instance%2C%20all%20LDAPS%20connections%20will%20fail%20with%20LDAP%20error%2081%20-%20LDAP_SERVER_DOWN.%20In%20addition%2C%E2%80%AFwe%20strongly%20recommended%20that%20you%20also%20review%20and%20install%20the%20fixes%20documented%20in%20the%20Known%20Issues%20section%20of%20KB%E2%80%AF968389.%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A360%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUPDATE%3C%2FSTRONG%3E%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3EReceiving%20many%20questions%20on%20how%20to%20disable%20this%20behavior%20and%20seems%20like%20it's%20still%20not%20quite%20understood%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3ETHE%20ONLY%20WAY%20TO%20DISABLE%20LDAP%20SIGNING%20is%20via%20REGISTRY%20(%3CSTRONG%3ELDAPServerIntegrity%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3D%200).%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3EIf%20you%20set%20via%20GPO%2C%20for%20eample%20configuring%20None%2C%20it%20will%20be%20changed%20by%20update%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161396i57E200BB91EB85AE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELDAP%20Signing%20Group%20Policy%20-%20No%20Downtime%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAfter%20installing%20ADV190023%20both%20settings%20(even%20None%20and%20Not%20Defined)%20will%20enforce%20%3CSTRONG%3ERequire%20Signature%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23ff0000%22%3EOnly%200%20(OFF)%20will%20not%20enforce%20Require%20Signature%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%20(not%20recommended%2C%20but%20if%20you%20really%20want%20to%20stick%20with%20disabling)%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20means%20that%20value%20of%20%220%22%20in%20registry%20means%20%22OFF%22%20and%20this%20also%20means%20that%20the%20update%20%3CFONT%20color%3D%22%23ff0000%22%3E%3CU%3Ewill%20not%20change%20the%20setting%20and%20not%20enforce%20Require%20Signing%3C%2FU%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EDC%3A%26nbsp%3BHKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5C%3CSTRONG%3ENTDS%3C%2FSTRONG%3E%5CParameters%26nbsp%3B%3CSTRONG%3E%26nbsp%3B--%26gt%3B%20LDAPServerIntegrity%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3E%3D%200%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELDAP%20Signing%20Group%20Policy%20-%20Behavior%20Change%20Example%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161400i8CECEDAC014C3567%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EIf%20we%20don%E2%80%99t%20want%20to%20wait%20for%20the%20March%202020%20update%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnable%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ELdapEnforceChannelBinding%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3D%201%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B(must%20have%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2017-8563%3C%2FA%3E)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnable%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ELDAP%20Server%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CU%3EDCs%3C%2FU%3E%26nbsp%3B%3D%20policy%20%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDomain%20controller%3A%20LDAP%20server%20signing%20requirements%22%20%3D%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BRequire%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CU%3EServers%2FClients%3C%2FU%3E%20%3D%20policy%20%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENetwork%20security%3A%20LDAP%20client%20signing%20requirements%20%3D%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BRequire%20Signing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20aria-level%3D%221%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESummarizing%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESummarizing%20a%20little%20this%20long%20article%20we%20can%20state%20the%20following%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EDirectory%20Services%20Log%20is%20our%20friend%3A%20Event%20IDs%202886%2C2887%2C2888%2C2889%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22none%22%3EOn%20Clients%20we%20need%20to%20have%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bas%20a%20prerequisite%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-8563%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2017-8563%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%E2%80%9CExtended%20Protection%20for%20Authentication%E2%80%9D%20before%20we%20enable%20LDAP%20CBT%20and%20LDAP%20Signing%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EDCs%20--%26gt%3B%20Enable%20LDAP%20Signing%20and%20LDAP%20CBT%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHope%20this%20helps%20understanding%20how%20these%20settings%20work%20and%20how%20they%20will%20be%20configured%20after%20the%20March%202020%20update%2C%20which%20can%20affect%20your%20LDAP%20Authentication%20if%20you%20don%E2%80%99t%20make%20any%20changes.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERegards%20to%20All%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlan%20%40%20PFE%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-921536%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F146785iAB1D8DD1B1FD285A%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20alt%3D%22Micro%20Services_White.gif%22%20title%3D%22Micro%20Services_White.gif%22%20%2F%3E%3C%2FSPAN%3EUpcoming%20March%202020%20updates%20will%20change%20default%20behavior%20of%20LDAP%20CBT%20and%20Signing%20(integrity).%20Want%20to%20know%20more%3F%20Just%20go%20through%20this%20article.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-921536%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ealanlapietra%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119765%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119765%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3ESo%20is%20LDAP%20channel%20binding%20the%20same%20thing%20as%20connecting%20via%20LDAPS%20and%20port%20636%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119822%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119822%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526829%22%20target%3D%22_blank%22%3E%40AndersPalsson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELDAP%20channel%20binding%20the%20same%20thing%20as%20connecting%20via%20LDAPS%20and%20port%20636%3F%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENo%2C%20but%20CBT%20is%20related%20to%20TLS%20connection.%20It's%20some%20data%20going%20through%20the%20TLS%20connection%20helping%20against%20MIM%20attacks%26nbsp%3B%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879%2Fhow-to-add-the-ldapenforcechannelbinding-registry-entry%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119847%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119847%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20explanation%20-%20I%20appreciate%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20particular%20clients%20in%20my%20environment%20that%20authenticate%20against%20AD%20with%20NTLM%20-%20and%20these%20requests%20are%20being%26nbsp%3B%3CSPAN%3Elogged%20on%20my%20DCs%20as%20event%202889%20(%3C%2FSPAN%3E%3CSTRONG%3EThe%20following%20client%20performed%20a%20SASL%20(Negotiate%2FKerberos%2FNTLM%2FDigest)%20LDAP%20bind%20without%20requesting%20signing%20(integrity%20verification)%2C%20or%20performed%20a%20simple%20bind%20over%20a%20clear%20text%20(non-SSL%2FTLS-encrypted)%20LDAP%20connection.%3C%2FSTRONG%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETheoretically%2C%20how%20could%20this%20be%20addressed%20on%20the%20client%20side%3F%20Is%20NTLM%20%22signing%22%20even%20a%20thing%20that%20exists%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119959%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119959%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20the%20KB%20number%20already%20known%20for%20that%20March%202020%20update%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1120065%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120065%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526059%22%20target%3D%22_blank%22%3E%40jpenning%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20it%20is%20possible%20to%20use%20NTLM%20while%20authenticating%20the%20LDAP%20Bind%20and%20have%20signing%20afterwards.%20You%20can%20try%20it%20with%20ldp.exe%20tool%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166278i986CF699608B6123%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAt%20the%20same%20time%2C%20simple%20ldap%20bind%20doesn't%20work%2C%20which%20proves%20that%20server%20is%20requiring%20signing%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166280i2D141C0D64AD84B1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBoth%20tests%20done%20with%20connection%20to%20port%20389.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1120146%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120146%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BThanks%20for%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EForgive%20my%20ignorance%2C%20I%20figured%20out%20how%20to%20test%20the%20simple%20bind%20with%20the%20LDP%20tool%20-%20but%20can't%20figure%20out%20how%20to%20test%20with%20NTLM%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1120164%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120164%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526059%22%20target%3D%22_blank%22%3E%40jpenning%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20Bind%20dialogue%2C%20you%20choose%20Advanced%2C%20press%20Advanced%20button%20and%20choose%20the%20authentication%20protocol%20you%20want%20to%20use%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166283i69E19A5D9AECB754%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1121707%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1121707%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526059%22%20target%3D%22_blank%22%3E%40jpenning%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20like%20ldp.exe%20doesn't%20have%20a%20setting%20that%20controls%20negotiate%20for%20LDAP%20Signing%20and%20Channel%20Token%20binding.%20Therefore%2C%20you%20have%20to%20use%20registry%20to%20enable%20or%20disable%20Signing%20and%20Integrity.%20To%20disable%20LDAP%20Signing%20negotiation%20for%20the%20client%2C%20configure%20key%20clientldapsecurity%3D0%20under%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHKLM%5CSystem%5CCurrentControlSet%5CServices%5Cldap%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20the%20client%20where%20ldp.exe%20runs.%20LDP.exe%20needs%20to%20be%20restarted%20after%20that%20and%20will%20not%20request%20signing%20for%20any%20ldap%20attempts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20confirm%20that%20signing%20is%20not%20used%20by%20capturing%20network%20traffic%2C%20for%20example%20with%20Wireshark.%20Here's%20how%20it%20looks%20like%20when%20you%20expand%20the%20LDAP%20protocol%20field%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166471i1771999B77134278%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWhen%20it%20is%20set%20to%200%2C%20client%20is%20not%20negotiating%20signing%20and%20you%20can%20see%20the%20following%20error%20in%20bindResponce%20packet%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166472i760B5785C9E9DF6F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20is%20what%20you%20will%20see%20in%20ldp%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F166473i0083DB05BD9212B5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_3.png%22%20title%3D%22clipboard_image_3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1120260%22%20slang%3D%22en-US%22%3ERe%3A%20LDAP%20Channel%20Binding%20and%20LDAP%20Signing%26nbsp%3BRequirements%20-%20Update%20now%20scheduled%20for%20March%202020%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120260%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BGot%20it%20-%20thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20test%20scenario%2C%20what%20exactly%20made%20it%20a%20'signed'%20NTLM%20request%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20use%20LDP%20to%20test%20an%20NTLM%20attempt%20that%20is%20not%20requesting%20signing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hi All, Alan here again, this time trying to give some details on these two settings that will become active from March 2020 and they are creating some misunderstandings. 

Let’s start saying that since Windows Server 2008 we have events 2886,2887,2888 and 2889 logged every 24 hours on the Directory Services log that tells us we are using these unsecure protocols 

 

This information is preliminary and is subject to revision.
This article is a living document, written over time and is subject to change. When guidance presented in this article is in direct conflict with official documentation, one must defer to official documentation.

 

 

AUDITING LDAP Signing

 

2886 

Telling us that our DCs are not requiring LDAP signing 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd... 

  

2887 (already on by default and logged every 24 hours)

Telling us how many such binds occurred 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd... 

The suggested path to resolve this error is do modify the registry of the DC to allow it log those failures. 

Registry to add: 

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 

………………….. 

Once the registry key "16 LDAP Interface Events" is configured we will have event 2889 telling us who is using this type of unsecure protocol 

 

2889 

This is the Event ID you want to check in order to understand which IP Address and Accounts are making these requests.

Once you open Event 2889 in Details you will have

Client IP address: “Value”
Identity the client attempted to authenticate as: “Value”

 

2888 

If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24 hours when such bind attempts occur. 

 

 

AUDITING LDAP Channel Binding : 

 

Logging of LDAP Binds Not Using CBT

NOTE: these events will only be logged once the update is installed

Same registry key as for LDAP Signing, so "16 LDAP Interface Events = 2 "

 

EventID 3039 Informational

EventID 3040 Informational 

 

 

CHANGES :

 

Very important NOTE: You need to have this CVE-2017-8563 installed on your clients as a prerequisite before enabling LDAP Channel Binding and LDAP Integrity on DCs 

 

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signinghttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

 

CVE-2017-8563 | Windows Elevation of Privilege Vulnerability (REQUIRED) 

An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully forward an authentication request to a Windows LDAP server, such as a system running Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which has been configured to require signing or sealing on incoming connections. 

The update addresses this vulnerability by incorporating support for Extended Protection for Authentication security feature, which allows the LDAP server to detect and block such forwarded authentication requests once enabled. 

 

Main thing to point out is which values will these settings have once the March 2020 update rolls out.

 

Here they are:  

 

  • LDAP Channel Binding = 1 (after update)

AD - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters 

ADLDS - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters 

value:1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility. 

 

  • LDAP Server Integrity (signing) = enabled by default (after update)

https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008 

I want to note that this article shows two sections related to server and client, that need to be configured: 

- How to set the server LDAP signing requirement 

- How to set the client LDAP signing requirement through a domain Group Policy Object 

 

Important Notes  

- Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled. 

- The LdapEnforceChannelBindings registry entry must be explicitly created.  

- LDAP server responds dynamically to changes to this registry entry. Therefore, you do not have to restart the computer after you apply the registry change. 

 
To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1. 
 
To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero). 

Windows Server 2008 and older systems require that Microsoft Security Advisory 973811, available in “KB 968389 Extended Protection for Authentication”, be installed before installing CVE-2017-8563. 

If you install CVE-2017-8563 without KB 968389 on a Domain controller or AD LDS instance, all LDAPS connections will fail with LDAP error 81 - LDAP_SERVER_DOWN. In addition, we strongly recommended that you also review and install the fixes documented in the Known Issues section of KB 968389. 

 

 

UPDATE:

Receiving many questions on how to disable this behavior and seems like it's still not quite understood

THE ONLY WAY TO DISABLE LDAP SIGNING is via REGISTRY (LDAPServerIntegrity = 0).

If you set via GPO, for eample configuring None, it will be changed by update

 

clipboard_image_0.png

 

LDAP Signing Group Policy - No Downtime

After installing ADV190023 both settings (even None and Not Defined) will enforce Require Signature

Only 0 (OFF) will not enforce Require Signature

 

NOTE (not recommended, but if you really want to stick with disabling):

This means that value of "0" in registry means "OFF" and this also means that the update will not change the setting and not enforce Require Signing

DC: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters  --> LDAPServerIntegrity = 0

 

 

LDAP Signing Group Policy - Behavior Change Example

clipboard_image_2.png

 

If we don’t want to wait for the March 2020 update 

  1. Enable LdapEnforceChannelBinding = 1  (must have CVE-2017-8563)
  2. Enable LDAP Server Signing  
    • DCs = policy "Domain controller: LDAP server signing requirements" = Require Signing 
    • Servers/Clients = policy "Network security: LDAP client signing requirements = Require Signing 

 

Summarizing 

Summarizing a little this long article we can state the following: 

  1. Directory Services Log is our friend: Event IDs 2886,2887,2888,2889 
  2. On Clients we need to have as a prerequisite CVE-2017-8563 “Extended Protection for Authentication” before we enable LDAP CBT and LDAP Signing 
  3. DCs --> Enable LDAP Signing and LDAP CBT

 

Hope this helps understanding how these settings work and how they will be configured after the March 2020 update, which can affect your LDAP Authentication if you don’t make any changes. 

 

 

Regards to All 

 

Alan @ PFE 

90 Comments
Occasional Contributor
Could someone PLEASE help me understand something? If I set the server to require signing, but a client is offline and can't yet get the client gpo to set required signing - how in the world can it talk with a DC to get group policy to get the right setting? Is there some sort of special logic happening on a DC that allows a client to check/update group policy even if it isn't meeting the signing requirements???
Senior Member

What happens if the clients receive the January 2020 update before the domain controllers do? In other words, the DCs have a Registry entry of 0 or no entry at all.

Occasional Visitor
Thanks for this clarification!
As i understand, this should work for good Compatibility:
Before January 2020 Update:
- Install all required Updates
- All DCs: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
- All DCs: Monitor 2887 and 2889 Events
- All DCs: LDAP Channel Binding = 1
- Group Policy (Domain Level): Network security: LDAP client signing requirements: Require
- Group Policy (Domaincontrollers): Domain controller: LDAP server signing requirements: None
About Domain controller signing:
None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.
Caution
If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.
 
After January 2020 Update:
- Domain controller: LDAP server signing requirements: Require (from Update)
- All DCs: LDAP Channel Binding = 1 (from Update)
- All DCs: Monitor 2888 Events
 
If Problems:
- Domain controller: LDAP server signing requirements: None
- All DCs: Monitor 2887 and 2889 Events
 
If all should be good:
- Network security: LDAP client signing requirements: Require
- Domain controller: LDAP server signing requirements: Require
- LDAP Channel Binding = 2

Other suggestions?
Occasional Visitor

Does anyone know (for sure) if there will be the option to keep the enforcment disabled after the January patch?

If yes, then please provide source..

Microsoft
@ajm-b  

Domain controller: LDAP server signing requirements

This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: This policy is not defined, which has the same effect as None.

Caution

If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.

Notes

This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a domain controller.
If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. No Microsoft LDAP clients running Windows XP Professional or the Windows Server 2003 family use LDAP simple bind or LDAP simple bind through SSL to bind to directory service

 

Network security: LDAP client signing requirements

This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows:

None: The LDAP BIND request is issued with the options that are specified by the caller.
Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.
Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.

Caution

If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.

Note: This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller.

Default: Negotiate signing.

Microsoft
Microsoft

@GflBE

I would say

Before January 2020 Update:
- Install all required Updates
- All DCs: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
- All DCs: Monitor 2887 and 2889 Events
- All DCs: LDAP Channel Binding = 1 (Before Jan 2020 updates this setting is 0)
- Group Policy (Domain Level): Network security: LDAP client signing requirements: None (Before Jan 2020 updates this setting is Negotiate Signing)
- Group Policy (Domaincontrollers): Domain controller: LDAP server signing requirements: None

 

After January 2020 Update:
- Domain controller: LDAP server signing requirements: Require (from Update)
- All DCs: LDAP Channel Binding = 1 (from Update)
- All DCs: Monitor 2888 Events
 
If Problems:
- Domain controller: LDAP server signing requirements: None
- All DCs: Monitor 2887 and 2889 Events
 
If all should be good:
- Network security: LDAP client signing requirements: Require
- Domain controller: LDAP server signing requirements: Require
- LDAP Channel Binding = 2
Occasional Visitor

@Alan La Pietra 

Okay i have already seen that article and the registry values to accept non signed ldap requests. But to me it was not definetly clear if this option will still be available after the January update.

 

Can you confirm that it will be possible after the january update?

 

Thanks in advance!

Microsoft

@harle22 changes can be reverted, only changing default values

 

Senior Member

This article and the conversation that it has started has been very helpful, so thanks for that.

 

Fortunately I have a copy of our AD in a sandboxed environment for testing. The downside is that I only have Windows Clients and no third party apps to test there.

 

A couple of different points:

 

- In the test environment, I set LDAP Signing to be enforced on the Client side across the domain and set the DC GPO so that LDAP Signing is not required. This apparently did not cause any problems. It seems to contradict this, unless I'm misunderstanding it: "Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed."

 

- This concerns me: "If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. " Is this correct? If so, we can forget about 3rd party apps that need to use AD authentication. They all seem to rely on simple bind over SSL for LDAP security.

Occasional Visitor

@CFS3RD 

 

SASL Authentication 

 

Active Directory supports the optional use of integrity verification or encryption that is negotiated as part of the SASL authentication.
While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer encryption/integrity verification mechanisms on such a connection.
While this restriction is present in Active Directory on Windows 2000 Server operating system and later, versions prior to Windows Server 2008 operating system can fail to reject an LDAP bind
that is requesting SASL-layer encryption/integrity verification mechanisms when that bind request is sent on a SSL/TLS-protected connection.

Occasional Visitor

Can you confirm that it will be possible after the january update?

Real Web Point

Thanks in advance!

Senior Member
@Alan La Pietra The KB 968389 link doesn't work. Can you get this link corrected or point us to the correct verbiage? This is causing quite a bit of confusion of us as well. -Chad
Microsoft

@ChadWst sorry for that!!

2008 x64: https://www.microsoft.com/en-us/download/details.aspx?id=15109 

Check windows update catalog here: https://www.catalog.update.microsoft.com/Home.aspx

 

Also remember that Extended Support for 2008 R2 SP1 and 2008 SP2, will end on 1/14/2020

Search product lifecycle: https://support.microsoft.com/en-us/lifecycle/search?alpha=windows%20server%202008

 

Regards

 

Alan @ PFE

Microsoft
 
 
 
   
Yes it will

 

Senior Member

@Alan La Pietra-- Question about GPO's  if LDAP Signing GPO's are currently enforcing "Negotiate Signing" for  Client/Workstations and LDAP Signing set to "None" for Domain Controllers

 

The January update would have no impact right? The update would essentially set it in the registry to "Require Signing" but once Group Policy refreshed it would revert back to what is set in GPO for example "Negotiate" for Clients and "None" for Domain Controllers.

Senior Member

For our third party applications and our OSX member computers that use LDAP over SSL (port 636), will they continue to communicate successfully with the domain controllers set to Require Signing? It sounds like they will fail. In that case we'll never be able to set it to Require Signing.

 

Related, I assume that for Channel Binding as long as we leave the setting at 1, the third part apps will be okay, since that is leaving it unenforced. Is that correct?

Occasional Contributor
@CFS3RD, as I understand it "Require Signing" only has to do with non-TLS 389, it doesn't come into play with 636 binds. We have plenty of macs here - if you wanna hit me up in about a month I can probably tell you how it went.
Senior Member

ajm-b, yes that would be great. We'll be holding off on the domain controllers until February so I'll have some time. We do have a closed off test network and we may be able to test some Macs there.

 

I don't know too much about Macs and I'm never one who joins them to the domain, but I had been under the impression that they did use port 636 by default. It wasn't until I increased the LDAP logging to "2" that I saw how many of them were using 389. I'm not sure why, but you may want to do the same.

 

That said, I just found an article that allays the confusion which prompted me to ask the question in the first place:

http://setspn.blogspot.com/2016/09/domain-controller-ldap-server-signing.html

As the article says, there is bad wording in the MS article: "If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected." So I know from what it says in this Blogspot post, that LDAP over SSL/TLS should continue to work.

 

Senior Member

I was able to find a Mac that I put in our isolated test network. In that environment, I set the DC GPO for "Domain Controller: require signing", the domain GPO to "Network Client: require signing". On the DC GPO I created the Registry entry for "LDAP Channel Binding = 1". I successfully tested using LDP to make sure simple binds over 389 would fail and over 636 using SSL would succeed.

 

I had no problem joining the Mac (Mavericks, a fairly old OSX version) to the domain. I don't see an option for using secure LDAP or not, so it obviously used secure LDAP or it would have failed. Just wanted to get this out there for anyone who was concerned like me.

 

I still don't understand why a bunch of Macs are using non secure LDAP, but that's our problem to correct.

Senior Member

You can use ldp.exe to quickly troubleshoot difference settings.  It helped me solve an issue with a Cisco appliance today.

Senior Member

@Alan La Pietra

 

Excellent article - thank you.

This may be asking something obvious but do the updates amend the value of Domain controller: LDAP server signing requirements in the Default Domain Controllers Policy?

Microsoft

@Ricoli610

Correct

Signing Required

CBT = 1

 

you need to have "required" on both Domain Controller Policy and Domain Policy (or a policy that will apply to clients/servers).

Update will default to ldap signing required on DDCP

 

Alan @ PFE

 

 

Senior Member
@Alan La Pietra -- I have a question related to the CVE-2017-8563 Would it be safe to assume that if we have been applying the Monthly Roll-up (not the Security-Only) since Oct 2016 to all of our systems, that this would include the update needed? -Chad
Microsoft

@ChadWst

I assume you are correct, but you can double check

Please review the following: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563

 

Example "Windows 10 for 32-bit Systems" is contained in July 11, 2017 - KB4025338

Windows 10 for 32-bit Systems   4025338 Security Update

 

or for "Windows Server 2012 R2" - KB4025333

Windows Server 2012 R2   4025336 Monthly Rollup Elevation of Privilege Important
4022726
4025333 Security Only

 

Regards

 

Alan @ PFE

Occasional Visitor

Horrible article...

 

Does the update involve code updates?

Does the update merely set the registry keys?

Does the update update a GPO (you allude to this above but I find it hard to believe.. - maybe I deleted the Default Domain Controllers GPO.. changed its scope… the patching team DONT have access to modify GPOs anyway... This is stupid on so many levels it has to not be the case)

Does the registry setting set by the patch (if thats all it does) override GPO registry settings (assuming the normal 'policies' folders are used for these types of GPOs..) which wins? what if there is a conflict?

 

Poorly explained and massive lack of fundamental information.

Senior Member
@Alan La Pietra If we set LDAP Channel Binding = 0 before the January update is deployed, will the update change the value from 0 to 1 or will customers need to come back after the update and reset it to =0 to disabling it? Please advise and thank you!
Microsoft

@ChadWst The update will change to 1 in DDCpolicy. You will have to set back to 0.

 

After installing ADV190023 both settings (even None and Not Defined) will enforce Require Signature.
Only 0 (OFF) will not enforce Require Signature.

 

By the way with CBT=1 you shouldn't have issues, that's a sort of accept all. This is an intermediate option that allows for application compatibility.

Issue could arise with LDAP Signing=Require

 

Senior Member
@Alan La Pietra -- Good catch on the future updates. I wasn't thinking that far in advance yet :) -- Speaking of updates. Do you anticipate these changes being in the Preview Updates?
Microsoft

@ChadWst sorry not aware of this yet

Senior Member

Thanks very much!

Senior Member
@Alan La Pietra -- Another follow-up to your response. Up til this point I have considered LDAP signing and LDAP CBT mutually exclusive. Is this accurate? For example, could we disable LDAP signing=REQUIRED and move forward with CBT = 1? These changes dont have to be done together right?
Microsoft

Adding some other information

 

Important to point out:

LDAP over TLS/SSL communication are already signed as TLS would detect any modification of the payload as it can't be decrypted. The behavior for LDAP simple binds and LDAP simple binds through SSL are as follows:

  • LDAP simple binds are rejected If signing is required
  • LDAP simple binds through SSL are allowed If signing is required​ as that satisfy the signing requirement 

 

Another important aspect:
Turning off changes made by January 2020 updates 
Separate registry key settings exist for LDAP Signing and Channel Binding. Setting registry values to zero reverts the OS back to the previous defaults:​
  • LdapServerIntegrity = 0​
  • LdapEnforceChannelBinding = 0​​
The values can also be configured via Security Policies set via Group Policy (e.g. to automatically distribute the settings to all DCs):​
  • "Domain controller: LDAP server signing requirements"​
  • "Domain controller: LDAP server channel binding token requirements" (will only show up in the UI after installing the upcoming fix)​

@ChadWst 

CBT setting will be introduced by the update

You can separate the settings, having CBT=1 and Signing=0. They are two separate settings that you can configure via registry or GPO

Also if you download the latest SCT 1.0 (security compliance toolkit) https://www.microsoft.com/en-us/download/details.aspx?id=55319 you will find template "SecGuide.admx" and language file "SecGuide.adml" that you can import in your policies (Central Store or C:\Windows\PolicyDefinitions) and from which you can manage Extended Protection for LDAP.....(CBT)

clipboard_image_1.png

Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909: 

 

https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Wind... 

 

Also one of the things to be aware of is that "Require Signing" may have an impact on third-party systems if you don't configure them correctly. Some examples that I'm thinking of:

  • Printers
  • Storage Area Networks
  • Third party OSs
  • Appliances
  • other Hardware that interacts with DCs
  • etc etc

 

Regards

 

Alan @ PFE

 

Senior Member

@Alan La Pietra @ChadWst 

Thank you for all the additional information and links.

Just flagging up that I've tried changing the Domain controller: LDAP server signing requirements setting in the DDCP from None to Required and this changed the ldapserverintegrity registry entry from 1 to 2 (below HKLM\System\CurrentControlSet\Services\NTDS\Parameters). Reverting the policy setting to None changed it back to 1.

Regular Visitor

@Ricoli610

My tests confirm your remarks:

DC: LDAP server signing requirement: None (default) means ldapserverintegrity registry value 1
DC: LDAP server signing requirement: Required means ldapserverintegrity registry value 2

(and not 0 and 1 as expected, which is confusing)

 

This would mean that the previous remark from @Alan La Pietra should be:

 

Turning off changes made by January 2020 updates 
Separate registry key settings exist for LDAP Signing and Channel Binding. Setting registry values to zero reverts the OS back to the previous defaults:​
  • LdapServerIntegrity = 1 (which means ldap server signing requirement none)
  • LdapEnforceChannelBinding = 0​​ (which means binding disabled)

Thank you @Alan La Pietra for confirming this.

Microsoft

@romuel Great!!

New Contributor

For those with Macs, it looks like they do not support CBT (Channel Binding Tokens) so it won't be possible to set LdapEnforceChannelBinding to 2, but it does work with it set to 1 (Compatibility Mode).   I'm guessing most people will have to stay in that mode anyway, due to an assortment of 3rd party things.   This was tested using the latest macOS (10.15) as well.

Established Member

If there is a requirement to secure the binding with a certificate, either internal CA or third party CA, and the domain ends in .local, is it possible to obtain a certificate from a third party CA for a upn suffix that is available externally and use this instead to bind securely? Deploying an internal CA for many customers who have .local domains to allow successful ldap binds seems like an overkill. Thoughts?

 

Just a thought - I think based on the many comments and corrections, this article should be updated with clear instructions on the changes being made, how to enable such settings now, how to disable such settings when live etc. A lot of companies won't be ready for the January deadline, so a guide to ensuring smooth transition would be great.

Visitor

Hi @Alan La Pietra,

 

One question here, according to the 2 documents here:

Can I just follow one doc to make my communications between LDAP clients and Active Directory domain controllers more secure? Or I must configure both the 2 to get this advantages. What's the different them, please?

 

Thanks

-Justin 

Microsoft

@Justin_Shi Hi Justin, you can go with only one but to cover all security concerns related to this issue we recommend to change both. Also because the update will update both.

Channel Binding Token info (was FAQ): https://internal.support.services.microsoft.com/en-us/help/2022970

Channel Binding for TLS (ietf) : https://tools.ietf.org/html/draft-altman-tls-channel-bindings-07#page-6

 

CVE-2017-8563 introduces a registry setting that administrators can use to help make LDAP authentication over SSL/TLS more secure.

  • Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.
  • The LdapEnforceChannelBindings registry entry must be explicitly created.
  • LDAP server responds dynamically to changes to this registry entry. Therefore, you do not have to restart the computer after you apply the registry change

 

Regards

 

Alan @ PFE

Microsoft

Also, just as an example, once you have enabled auditing modifying registry key "16 LDAP Interface Events", you can use the following powershell to search every DC for EventID 2889 and list IP and Account

 

This is only an example (only the last 50 events will be listed, if you need more change the value in -maxevents)

$DCs=Get-ADDomainController -filter *
foreach ($DC in $DCs)
{
write-host $DC.hostname
get-winevent -computername $DC -logname "directory Service" -maxevents 50 | ?{$_.id -eq 2889}|%{Write-Output "$($_.timecreated): $($_.properties[0].value)=>$($_.properties[1].value)"}

Senior Member

Thanks, the script is helpful.

 

I was confused as to why I saw no events listed on 4 of 5 DCs until I realized that (of course) the last 50 events are listed *before* filtering for Event ID 2889. If you have lots of other Directory Services events, the last 50 may not include any for Event ID 2889. Keep that in mind when running the script.

Senior Member
@Alan La Pietra Do you know if the LDAP Signing registry keys are dynamic like the CBT keys?? Is a reboot required for those to take effect? HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters LDAPServerIntegrity HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\Parameters ldapclientintegrity
Senior Member

@Alan La Pietra,

 

Please make it clearer in the article, that the table that explains behavior change is actually about "Domain controller: LDAP server signing requirements" GPO. It was not evident at all, until I read all other comments. Possibly, because GPO doesn't contain "OFF" setting.

 

Is it correct, that after this update, if we want to have at least 1 application not using LDAP Signing, we have to remove this GPO setting completely, and create a registry key with value "0", completely turning off LDAP Signing in whole domain, for all clients? If not, how do we enable one application to not require LDAP signing (given it doesn't support LDAPS)?

 

Below is the description of the policy today. Why does it say that LDAP Simple Bind is not affected?

Domain controller: LDAP server signing requirements

 

This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: This policy is not defined, which has the same effect as None.

Caution

If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.

Notes

This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple

Senior Member
@Alan La Pietra If LDAPServerIntegrity = 0 on the Domain Controller side does the client side ldapclientintegrity need to be "0" as well or would "1" Negotiate still work? Thanks for the updated info and charts related to the "None" and "Not Defined" behavior. This helps for the customers that are working on plans to disabled. It might help to add some verbiage around the client side.
Microsoft

@ChadWst

LDAPServerIntegrity = 0 on the Domain Controller side , this will remain 0 when you install update (releasing in March 2020)

Client Side leave = 1 meaning "negotiate"

 

So to disable this LDAP Signing you have to set Domain Controller Policy to 0 (zero = OFF). This wont be touched by the March 2020 update or future updates. I want to point out that this is NOT Recommended obviously as you are leaving your environment not secure.

LDAP CBT is not a concern with March 2020 update. Leaving = 1 means "negotiate".

When possible, consider configuring CBT = 2 in order to ensure higher security for TLS as well

 

Alan @ PFE

Senior Member

@ChadWst 

According to the help for Client Signing Requirements, Negotiate is the default.

 

That said, I have a GPO set for a few clients with Client Signing set to "2" (Require Signing) and I have no issues, even though the DCs are still set to None.

Senior Member
@Alan La Pietra -- Most definitely, the plan is to get these features enabled however we haven't had another lead time to get the logging enabled and run down the 1000's of LDAP client apps we have. Its definitely on our radar. A couple of followups 1 -- Are you hinting that the updates might be pushed to March (would look at the official Advisory for this soon)? 2 -- For LDAP Clients... The 2020 updates will NOT change the "Negotiate" to "Required"? or is it irrelevant if the DC/LDAP server side is set to "0"
Senior Member
@CFS3RD -- Thats what we have been testing but it looks like the behavior of "1" or "None" changes with the updates. Check out Alan's updates in the main part of the thread.
Senior Member

Hello @Alan La Pietra 

 

The policy "Domain controller: LDAP server signing requirements" contains only settings "None" and "Require Signing". So if we need to set the policy to OFF, one of the way would be to set this setting in Group Policy to "Not Defined" and then specify the registry key in GP Preferences, with value 0?

 

What is the effect when LDAPServerIntegrity=0, if Client is configured to Require Signing? Will they not be able to communicate, or will Domain Controller accept signed traffic, even if signing is OFF?

 

Current description of this policy says that "This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL." It would be nice if the description is corrected to match the information you provided.

 

Have my previous commented been deleted for the red text, highlighting wrong description on GPO? Wow!