Overview#
LDAP Signing is a concept within Microsoft Windows during LDAP Bind Request for providing Integrity validation and is part ADV190023 and LDAPServerIntegrityLDAP Signing using SASL#
This appears to be Microsoft Windows specific where all communications between client and Server will be Digitally Signed providing Integrity validation. For LDAP Clients this is done using:- The signing key is derived from the authenticating Digital Identity's Password-hash
- The client calculates the session Key
- The server receives the Session Key from the Domain Controller in the Netlogon service response
Kerberos#
For implementations using SPNEGO or GSSAPI, the client preforms the Encryption of the payload using a Kerberos Session Key before sending over the wire to Microsoft Active Directory.LDAPS and StartTLS LDAP Signing#
Integrity validation is part of the Transport Layer Security (TLS) protocol and is considered acceptable by Microsoft Active Directory as LDAP SigningFailed LDAP Bind Request#
Windows Domain Controllers will return an event when LDAP Signing is required and not used by the client on a NON-Transport Layer Security (TLS) connection similar to:LDAP error code 8 - server log [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 ]
Most Client should show a LDAP Result Codes of 8 indicating LDAP_STRONG_AUTH_REQUIRED.
LDAP Signing Domain Controller Windows registry#
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters under the value LDAPServerIntegrity (LDAPClientIntegrity for Clients):- 0 - No signing/sealing
- 1 - Negotiate signing/sealing
- 2 - Require signing/sealing (Which is the advice of ADV190023)
Configure Microsoft Active Directory and AD LDS diagnostic event logging#
LDAP Windows Security Log must be at level 2 or higher to reveal these events:There are several Windows Security Log Events to help indicate the status of implementation for LDAP Signing:
More Information#
There might be more information for this subject on one of the following:- [#1] - Event ID 2886 — LDAP signing
- based on information obtained 2020-01-18
- [#2] - LDAP signing
- based on information obtained 2020-01-18
- [#3] - Identifying Clear Text LDAP binds to your DC's
- based on information obtained 2020-01-18
- [#4] - Query-InsecureLDAPBinds.ps1
- based on information obtained 2020-01-18
- [#5] - LDAP Signing Events Custom View.xml
- based on information obtained 2020-01-18
- [#6] - The current Client Signing setting is maintained in the registry (of course) in the key
- based on information obtained 2020-01-22
- [#7] - How to enable LDAP signing in Windows Server
- based on information obtained 2020-01-22