LDAP Signing


LDAP Signing is a concept within Microsoft Windows during LDAP Bind Request for providing Integrity validation and is part ADV190023 and LDAPServerIntegrity

LDAP Signing using SASL#

This appears to be Microsoft Windows specific where all communications between client and Server will be Digitally Signed providing Integrity validation. For LDAP Clients this is done using: An Man-In-The-Middle attacker with Replay attack capabilities has no way of retrieving the session Key and therefore will not be able to provide Digitally Signed messages


For implementations using SPNEGO or GSSAPI, the client preforms the Encryption of the payload using a Kerberos Session Key before sending over the wire to Microsoft Active Directory.

LDAPS and StartTLS LDAP Signing#

Integrity validation is part of the Transport Layer Security (TLS) protocol and is considered acceptable by Microsoft Active Directory as LDAP Signing

Failed LDAP Bind Request#

Windows Domain Controllers will return an event when LDAP Signing is required and not used by the client on a NON-Transport Layer Security (TLS) connection similar to:
LDAP error code 8 - server log [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 ]

Most Client should show a LDAP Result Codes of 8 indicating LDAP_STRONG_AUTH_REQUIRED.

LDAP Signing Domain Controller Windows registry#

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters under the value LDAPServerIntegrity (LDAPClientIntegrity for Clients):
  • 0 - No signing/sealing
  • 1 - Negotiate signing/sealing
  • 2 - Require signing/sealing (Which is the advice of ADV190023)

Configure Microsoft Active Directory and AD LDS diagnostic event logging#

LDAP Windows Security Log must be at level 2 or higher to reveal these events:

There are several Windows Security Log Events to help indicate the status of implementation for LDAP Signing:

More Information#

There might be more information for this subject on one of the following: