Overview#
Event 2889 (DIRLOG_UNSIGNED_CLIENT_DETAILS) is an Windows Security Log Event within the Microsoft Windows Logging indicating the DUA (clients) which performed an insecure Bind Request without LDAPServerIntegrityEvent 2889 reports the Client's IP Address of Bind Requests without LDAPServerIntegrity of the LDAP Message
From what LDAPWiki can determine this is done regardless of weather this Domain Controller is configured to reject Bind Request without LDAPServerIntegrity
Windows Security Log Event Message#
The messages is similar to:The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: "Value" Identity the client attempted to authenticate as: "Value"
More Information#
There might be more information for this subject on one of the following:- [#1] - Event ID 2889 — LDAP signing
- based on information obtained 2020-01-18
- [#2] - LDAP signing - based on information obtained 2020-01-18
- [#3] - Identifying Clear Text LDAP binds to your DC's - based on information obtained 2020-01-18