Jump to content
  • Recently Browsing   0 members

    No registered users viewing this page.

Kevin Beaumont

Preventing LDAP apocalypse in March 2020 - LDAP signing requirements

Recommended Posts

In March this year, Microsoft plan to change LDAP (an authentication system) behaviour so you are required to make connections which is signed and basically secure.  If you have systems which authenticate with Active Directory in an insecure way, they will break post update.

More info here:



This is a big change which may have production impacts, i.e. systems may break.

How to identify systems which will break

Go to your domain controllers and look for Event ID 2887:

Product: Windows Operating System
ID: 2887
Source: Microsoft-Windows-ActiveDirectory_DomainService
Message: During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection

If you see this error, you need to take action as something will break.

You can manually enable LDAP interface event logging, and afterwards Event ID 2889 will be logged in same location with the IP addresses of clients using insecure LDAP.

On each DC:

# Enable Simple LDAP Bind Logging 
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

This will get you the IP address of systems using insecure LDAP.. the next issue is to get them to... not do that.  Over to you!

  • Like 3

Share this post

Link to post

Thanks for this. Raised the flag 2-3 months back when ADV190023  first came out. I was wondering how could we go about investigating which appliances/systems would break after this update goes through, and the default settings gets changed. Looks like I'll be working on it right away.

  • Thanks 1

Share this post

Link to post

New information has come to light: apparently, the March 2020 update will NOT change the default settings for LDAP connections, but another monthly security update will later this year.


***NEW NOTE***

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023


Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.

A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.

Administrators can prevent the feature update from making those change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default.

  • Thanks 1

Share this post

Link to post

Perfect - thank you very much.  So it is delayed now, and they're add opt out registry values for later.

(If anybody is confused, Microsoft have multiple pieces of conflicting info on this - e.g. this one is still online:





Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy