Jun 24 2019 05:31 AM
Jun 24 2019 05:31 AM
"If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts."
Given this - how in the world can you safely implement this? It seems to me that unless everything processed right at the same time - you're guaranteed to have some clients that cannot communicate to even get group policy anymore?
Jul 04 2019 07:23 AM
Set your clients to 'negotiate signing', check server event logs and when you don't see any reports of unsigned connections you are safe to enable server required signing.
Log - Applications and Services Logs\Directory Service
Source - ActiveDirectory_DomainService
Let me know if you need more help.
Jul 07 2019 09:33 AM
@Steve Norton"If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts."
If clients are set to negotiate, and the server is set to require, clients will be rejected.
Jul 09 2019 10:35 AM
I hope this helps someone. Here's some initial results from test environment.
[2012 r2 dc, forest/domain level @ 2008 R2, windows 10 1903, rolling with defaults for group policy except these 2 noted below]
So to summarize: it does seem confirmed that unreachable/offline clients (set to negotiate) are able to come back later after the DC has already processed REQUIRED SIGNING and get the new settings- even though I'm not sure technically how that actually works. If someone can shed light on that I'd appreciate it...I'd assume the client coming back and trying to reach DC for group policy would be like:
...Now it certainly didn't work this way in my testing, but I have no idea why. Do you?
Jul 19 2019 06:43 AMSolution
Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.
So if the client is set to negotiate a connection is possible.
The problem that can be faced is if the client is set to 'required' and the server is set to 'none' then the client will report a bind failure to the calling code as it will not connect to a correctly hardened server.
Require signing. This level is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed.