jspωiki
LDAP Signing

Overview#

LDAP Signing is a concept within Microsoft Windows during LDAP Bind Request for providing Integrity validation and is part ADV190023 and LDAPServerIntegrity

LDAP Signing using SASL#

This appears to be Microsoft Windows specific where all communications between client and Server will be Digitally Signed providing Integrity validation. For LDAP Clients this is done using: An Man-In-The-Middle attacker with Replay attack capabilities has no way of retrieving the session Key and therefore will not be able to provide Digitally Signed messages

Kerberos#

For implementations using SPNEGO or GSSAPI, the client preforms the Encryption of the payload using a Kerberos Session Key before sending over the wire to Microsoft Active Directory.

LDAPS and StartTLS LDAP Signing#

Integrity validation is part of the Transport Layer Security (TLS) protocol and is considered acceptable by Microsoft Active Directory as LDAP Signing

Failed LDAP Bind Request#

Windows Domain Controllers will return an event when LDAP Signing is required and not used by the client on a NON-Transport Layer Security (TLS) connection similar to:
LDAP error code 8 - server log [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 ]

Most Client should show a LDAP Result Codes of 8 indicating LDAP_STRONG_AUTH_REQUIRED.

LDAP Signing Domain Controller Windows registry#

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters under the value LDAPServerIntegrity (LDAPClientIntegrity for Clients):
  • 0 - No signing/sealing
  • 1 - Negotiate signing/sealing
  • 2 - Require signing/sealing (Which is the advice of ADV190023)

Configure Microsoft Active Directory and AD LDS diagnostic event logging#

LDAP Windows Security Log must be at level 2 or higher to reveal these events:

There are several Windows Security Log Events to help indicate the status of implementation for LDAP Signing:

More Information#

There might be more information for this subject on one of the following: