SOLVED
Home

How can I safely implement required ldap signing?

%3CLINGO-SUB%20id%3D%22lingo-sub-716999%22%20slang%3D%22en-US%22%3EHow%20can%20I%20safely%20implement%20required%20ldap%20signing%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-716999%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-security-ldap-client-signing-requirements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork...%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CI%3E%3CSTRONG%3E%22If%20you%20configure%20the%20server%20to%20require%20LDAP%20signatures%2C%20you%20must%20also%20configure%20the%20client%20computers.%20If%20you%20do%20not%20configure%20the%20client%20devices%2C%20they%20cannot%20communicate%20with%20the%20server%2C%20which%20could%20cause%20many%20features%20to%20fail%2C%20including%20user%20authentication%2C%20Group%20Policy%2C%20and%20logon%20scripts.%22%3C%2FSTRONG%3E%3C%2FI%3E%3C%2FP%3E%3CP%3EGiven%20this%20-%20how%20in%20the%20world%20can%20you%20safely%20implement%20this%3F%20It%20seems%20to%20me%20that%20unless%20everything%20processed%20right%20at%20the%20same%20time%20-%20you're%20guaranteed%20to%20have%20some%20clients%20that%20cannot%20communicate%20to%20even%20get%20group%20policy%20anymore%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738399%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20safely%20implement%20required%20ldap%20signing%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738399%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365532%22%20target%3D%22_blank%22%3E%40ajm-b%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet%20your%20clients%20to%20'negotiate%20signing'%2C%20check%20server%20event%20logs%20and%20when%20you%20don't%20see%20any%20reports%20of%20unsigned%20connections%20you%20are%20safe%20to%20enable%20server%20required%20signing.%3C%2FP%3E%3CP%3ELog%20-%20Applications%20and%20Services%20Logs%5CDirectory%20Service%3C%2FP%3E%3CP%3ESource%20-%20ActiveDirectory_DomainService%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20you%20need%20more%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741429%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20safely%20implement%20required%20ldap%20signing%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741429%22%20slang%3D%22en-US%22%3E%3CP%3Ethanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741514%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20safely%20implement%20required%20ldap%20signing%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741514%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128508%22%20target%3D%22_blank%22%3E%40Steve%20Norton%3C%2FA%3E%22If%20you%20set%20the%20server%20to%20require%20LDAP%20signatures%2C%20you%20must%20also%20set%20the%20client%20devices%20to%20do%20so.%20Not%20setting%20the%20client%20devices%20will%20prevent%20client%20computers%20from%20communicating%20with%20the%20server.%20This%20can%20cause%20many%20features%20to%20fail%2C%20including%20user%20authentication%2C%20Group%20Policy%2C%20and%20logon%20scripts.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20clients%20are%20set%20to%20negotiate%2C%20and%20the%20server%20is%20set%20to%20require%2C%20clients%20will%20be%20rejected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-745523%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20safely%20implement%20required%20ldap%20signing%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-745523%22%20slang%3D%22en-US%22%3E%3CP%3EI%20hope%20this%20helps%20someone.%20Here's%20some%20initial%20results%20from%20test%20environment.%3C%2FP%3E%3CP%3E%5B2012%20r2%20dc%2C%20forest%2Fdomain%20level%20%40%202008%20R2%2C%20windows%2010%201903%2C%20rolling%20with%20defaults%20for%20group%20policy%20except%20these%202%20noted%20below%5D%3C%2FP%3E%3COL%3E%3CLI%3Eshutdown%20client%20(set%20to%20negotiate%20for%20both%20settings)%3C%2FLI%3E%3CLI%3Echange%20domain%20gpo%20to%20have%20%22domain%20controller%3A%20ldap%20server%20signing%20requirements%22%20and%20%22network%20security%3A%20ldap%20client%20signing%20requirements%22%20set%20to%20REQUIRE%20SIGNING%3C%2FLI%3E%3CLI%3Egpupdate%20domain%20controller%2C%20verify%20with%20mmc%20rsop%20that%20it%20has%20applied%20these%20settings%3C%2FLI%3E%3CLI%3Estartup%20client%3A%20I'm%20able%20to%20logon%20w%2Fo%20issue.%20nltest%20%2Fsc_query%3A%3CTESTENV%20domain%3D%22%22%3E%20verifies%20that%20the%20secure%20channel%20is%20established%3C%2FTESTENV%3E%3C%2FLI%3E%3CLI%3Emmc%20rsop%20verifies%20that%20the%20client%20has%20applied%20both%20settings%20set%20to%20REQUIRE%20SIGNING%3C%2FLI%3E%3CLI%3Egpupdate%20succeeds%20on%20client%3C%2FLI%3E%3CLI%3Eable%20to%20browse%20%5C%5C%3CTESTENV%20domain%3D%22%22%3E%5Csysvol%3C%2FTESTENV%3E%3C%2FLI%3E%3CLI%3Elaunch%20ADSIEdit%20on%20client%3A%20attempting%20to%20simplebind%20to%20%3CTESTENV%3E%3A389%20while%20specifying%20credentials%20fails%20with%20error%3A%20%22%3CSPAN%3EOperation%20failed.%20Error%20code%3A%200x2028%20A%20more%20secure%20authentication%20method%20is%20required%20for%20this%20server.%2000002028%3A%20LdapErr%3A%20DSID-0c090202%2C%20comment%3A%20The%20server%20requires%20binds%20to%20turn%20on%20integrity%20checking%20if%20SSL%5CTLS%20are%20not%20already%20active%20on%20the%20connection%2C%20data%200%2C%20v2580%22%3C%2FSPAN%3E%3C%2FTESTENV%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3Erepeat%20same%20scenario%20except%20unchecking%20simplebind%20in%20ADSIEdit%20results%20in%20success%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3Eas%20expected%20for%20this%20testenv%2C%20trying%20to%20bind%20636%2FTLS%2FSSL%20does%20not%20succeed%2C%20verifying%20we%20aren't%20falling%20back%20to%20SSL%2FTLS%20to%20avoid%20required%20signing%20without%20realizing%20it.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3Esidenote%20on%20ADSIEdit%20oddity%3A%20if%20I%20didn't%20check%20%22specify%20credentials%22%2C%20I%20could%20still%20bind%20even%20if%20simple%20bind%20was%20checked...I'm%20assuming%20ADSIEdit%20was%20reaching%20over%20the%20already-established%20secure%20channel%20but%20if%20someone%20can%20confirm%20that%20behavior%20of%20ADSIEdit%20I'd%20appreciate%20it.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CSTRONG%3ESo%20to%20summarize%3A%3C%2FSTRONG%3Eit%20does%20seem%20confirmed%20that%20unreachable%2Foffline%20clients%20(set%20to%20negotiate)%20are%20able%20to%20come%20back%20later%20after%20the%20DC%20has%20already%20processed%20REQUIRED%20SIGNING%20and%20get%20the%20new%20settings-%20even%20though%20I'm%20not%20sure%20technically%20how%20that%20actually%20works.%20If%20someone%20can%20shed%20light%20on%20that%20I'd%20appreciate%20it...I'd%20assume%20the%20client%20coming%20back%20and%20trying%20to%20reach%20DC%20for%20group%20policy%20would%20be%20like%3A%3C%2FP%3E%3COL%3E%3CLI%3E(client%20comes%20back%20online%20with%20its%20last%20group%20policy%20set%20to%20negotiate)%3C%2FLI%3E%3CLI%3Eclient%20tries%20to%20negotiate%20ldap%20with%20DC%20that%20is%20set%20to%20REQUIRE%20ldap%20signing.%3C%2FLI%3E%3CLI%3EDC%20rejects%20client's%20bind%20attempt%3C%2FLI%3E%3CLI%3Eclient%20cannot%20update%20group%20policy%20or%20talk%20with%20DC%20anymore%3C%2FLI%3E%3C%2FOL%3E%3CP%3E...Now%20it%20certainly%20didn't%20work%20this%20way%20in%20my%20testing%2C%20but%20I%20have%20no%20idea%20why.%20Do%20you%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754473%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20safely%20implement%20required%20ldap%20signing%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754473%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365532%22%20target%3D%22_blank%22%3E%40ajm-b%3C%2FA%3EIs%20it%20simply%20that%20the%20help%20documentation%20is%20misleading%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754956%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20safely%20implement%20required%20ldap%20signing%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754956%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20uncertain%20Mr%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128508%22%20target%3D%22_blank%22%3E%40Steve%20Norton%3C%2FA%3E...and%20it's%20a%20scary%20thing%20to%20be%20uncertain%20about.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-764724%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20safely%20implement%20required%20ldap%20signing%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-764724%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365532%22%20target%3D%22_blank%22%3E%40ajm-b%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fdomain-controller-ldap-server-signing-requirements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fdomain-controller-ldap-server-signing-requirements%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3E%3CSPAN%3ERequire%20signature.%20The%20LDAP%20data-signing%20option%20must%20be%20negotiated%20unless%20Transport%20Layer%20Security%2FSecure%20Sockets%20Layer%20(TLS%2FSSL)%20is%20in%20use.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CSPAN%3ESo%20if%20the%20client%20is%20set%20to%20negotiate%20a%20connection%20is%20possible.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CSPAN%3EThe%20problem%20that%20can%20be%20faced%20is%20if%20the%20client%20is%20set%20to%20'required'%20and%20the%20server%20is%20set%20to%20'none'%20then%20the%20client%20will%20report%20a%20bind%20failure%20to%20the%20calling%20code%20as%20it%20will%20not%20connect%20to%20a%20correctly%20hardened%20server.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23007600%22%20face%3D%22Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-security-ldap-client-signing-requirements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-security-ldap-client-signing-requirements%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23b00000%22%20face%3D%22Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%22%3E%3CSTRONG%3ERequire%20signing%3C%2FSTRONG%3E.%20This%20level%20is%20the%20same%20as%20%3CSTRONG%3ENegotiate%20signing%3C%2FSTRONG%3E.%20However%2C%20if%20the%20LDAP%20server's%20intermediate%20saslBindInProgress%20response%20does%20not%20indicate%20that%20LDAP%20traffic%20signing%20is%20required%2C%20the%20caller%20is%20returned%20a%20message%20that%20the%20LDAP%20BIND%20command%20request%20failed.%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network...

"If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts."

Given this - how in the world can you safely implement this? It seems to me that unless everything processed right at the same time - you're guaranteed to have some clients that cannot communicate to even get group policy anymore?

7 Replies
Highlighted

@ajm-b 

Set your clients to 'negotiate signing', check server event logs and when you don't see any reports of unsigned connections you are safe to enable server required signing.

Log - Applications and Services Logs\Directory Service

Source - ActiveDirectory_DomainService

 

Let me know if you need more help.

 

Highlighted
Highlighted

@Steve Norton"If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts."

 

If clients are set to negotiate, and the server is set to require, clients will be rejected.

Highlighted

I hope this helps someone. Here's some initial results from test environment.

[2012 r2 dc, forest/domain level @ 2008 R2, windows 10 1903, rolling with defaults for group policy except these 2 noted below]

  1. shutdown client (set to negotiate for both settings)
  2. change domain gpo to have "domain controller: ldap server signing requirements" and "network security: ldap client signing requirements" set to REQUIRE SIGNING
  3. gpupdate domain controller, verify with mmc rsop that it has applied these settings
  4. startup client: I'm able to logon w/o issue. nltest /sc_query:<testenv domain> verifies that the secure channel is established
  5. mmc rsop verifies that the client has applied both settings set to REQUIRE SIGNING
  6. gpupdate succeeds on client
  7. able to browse \\<testenv domain>\sysvol
  8. launch ADSIEdit on client: attempting to simplebind to <testenv>:389 while specifying credentials fails with error: "Operation failed. Error code: 0x2028 A more secure authentication method is required for this server. 00002028: LdapErr: DSID-0c090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580"
  9. repeat same scenario except unchecking simplebind in ADSIEdit results in success
  10. as expected for this testenv, trying to bind 636/TLS/SSL does not succeed, verifying we aren't falling back to SSL/TLS to avoid required signing without realizing it.
  11. sidenote on ADSIEdit oddity: if I didn't check "specify credentials", I could still bind even if simple bind was checked...I'm assuming ADSIEdit was reaching over the already-established secure channel but if someone can confirm that behavior of ADSIEdit I'd appreciate it.

So to summarize: it does seem confirmed that unreachable/offline clients (set to negotiate) are able to come back later after the DC has already processed REQUIRED SIGNING and get the new settings- even though I'm not sure technically how that actually works. If someone can shed light on that I'd appreciate it...I'd assume the client coming back and trying to reach DC for group policy would be like:

  1. (client comes back online with its last group policy set to negotiate)
  2. client tries to negotiate ldap with DC that is set to REQUIRE ldap signing.
  3. DC rejects client's bind attempt
  4. client cannot update group policy or talk with DC anymore

...Now it certainly didn't work this way in my testing, but I have no idea why. Do you?

Highlighted

@ajm-bIs it simply that the help documentation is misleading?

Highlighted

I'm uncertain Mr @Steve Norton...and it's a scary thing to be uncertain about.

Highlighted
Solution

@ajm-b 

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-...

Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.

 

So if the client is set to negotiate a connection is possible.

 

The problem that can be faced is if the client is set to 'required' and the server is set to 'none' then the client will report a bind failure to the calling code as it will not connect to a correctly hardened server.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network...

Require signing. This level is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed.