To help make LDAP authentication over SSL\TLS more secure, administrators can configure the following registry settings:
Path for Active Directory Domain Services (AD DS) domain controllers: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Path for Active Directory Lightweight Directory Services (AD LDS) servers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters
DWORD: LdapEnforceChannelBinding
DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.
Notes
Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.
The LdapEnforceChannelBindings registry entry must be explicitly created.
LDAP server responds dynamically to changes to this registry entry. Therefore, you do not have to restart the computer after you apply the registry change.
To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1.
To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).
Windows Server 2008 and older systems require that Microsoft Security Advisory 973811, available in “KB5021989 Extended Protection for Authentication”, be installed before installing CVE-2017-8563. If you install CVE-2017-8563 without KB5021989 on a Domain controller or AD LDS instance, all LDAPS connections will fail with LDAP error 81 - LDAP_SERVER_DOWN.
Related information
For more information, see KB4520412.
____________________________________________________________________________________________________________________
How to list all the AD LDS instances on a server
By Jason Yoder, MCT February 21, 2011
AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory. To list all the AD LDS instances on a server, follow this procedure:
Log into the server in question
Open a command prompt.
Type dsdbutil and press Enter
Type List Instances and press Enter.
You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.
LABELS: AD LDS MOC 6416 WINDOWS SERVER 2008
____________________________________________________________________________________________________________________
How to configure the directory to require LDAP server signing for AD DS
For information about possible affects of changing security settings, see Client, service, and program issues can occur if you change security settings and user rights assignments.
Note
Logging anomaly of Event ID 2889
Applications that use third-party LDAP clients may cause Windows to generate incorrect Event ID 2889 entries. This occurs when you log of LDAP interface events and if LDAPServerIntegrity
is equal to 2. The use of sealing (encryption) satisfies the protection against the MIM attack, but Windows logs Event ID 2889 anyway.
This happens when LDAP clients use only sealing together with SASL. We have seen this in the field in association with third-party LDAP clients.
When a connection does not use both signing and sealing, the connection security requirements check uses the flags correctly and disconnect. The check generates Error 8232 (ERROR_DS_STRONG_AUTH_REQUIRED).
Using Group Policy
How to set the server LDAP signing requirement
- Select Start > Run, type mmc.exe, and then select OK.
- Select File > Add/Remove Snap-in, select Group Policy Management Editor, and then select Add.
- Select Group Policy Object > Browse.
- In the Browse for a Group Policy Object dialog box, select Default Domain Controller Policy under the Domains, OUs, and linked Group Policy Objects area, and then select OK.
- Select Finish.
- Select OK.
- Select Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies, and then select Security Options.
- Right-click Domain controller: LDAP server signing requirements, and then select Properties.
- In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, select Require signing in the Define this policy setting list, and then select OK.
- In the Confirm Setting Change dialog box, select Yes.
How to set the client LDAP signing requirement by using local computer policy
- Select Start > Run, type mmc.exe, and then select OK.
- Select File > Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, select Group Policy Object Editor, and then select Add.
- Select Finish.
- Select OK.
- Select Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies, and then select Security Options.
- Right-click Network security: LDAP client signing requirements, and then select Properties.
- In the Network security: LDAP client signing requirements Properties dialog box, select Require signing in the list, and then select OK.
- In the Confirm Setting Change dialog box, select Yes.
How to set the client LDAP signing requirement by using a domain Group Policy Object
- Select Start > Run, type mmc.exe, and then select OK.
- Select File > Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, select Group Policy Object Editor, and then select Add.
- Select Browse, and then select Default Domain Policy (or the Group Policy Object for which you want to enable client LDAP signing).
- Select OK.
- Select Finish.
- Select Close.
- Select OK.
- Select Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies, and then select Security Options.
- In the Network security: LDAP client signing requirements Properties dialog box, select Require signing in the list, and then select OK.
- In the Confirm Setting Change dialog box, select Yes.
How to set the client LDAP signing requirement by using registry keys
Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
By default, for Active Directory Lightweight Directory Services (AD LDS), the registry key is not available. Therefore, you must create a LDAPServerIntegrity
registry entry of the REG_DWORD type under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<InstanceName>\Parameters
Note
The placeholder <InstanceName> represents the name of the AD LDS instance that you want to change.
How to verify configuration changes
Sign in to a computer that has the AD DS Admin Tools installed.
Select Start > Run, type ldp.exe, and then select OK.
Select Connection > Connect.
In Server and in Port, type the server name and the non-SSL/TLS port of your directory server, and then select OK.
Note
For an Active Directory Domain Controller, the applicable port is 389.
After a connection is established, select Connection > Bind.
Under Bind type, select Simple bind.
Type the user name and password, and then select OK.
If you receive the following error message, you have successfully configured your directory server:
Ldap_simple_bind_s() failed: Strong Authentication Required
References
- ADV190023: Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
- 2020 LDAP channel binding and LDAP signing requirement for Windows