<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a concept within [Microsoft Windows] during [LDAP] [Bind Request] for providing [Integrity] validation and is part [ADV190023] and [LDAPServerIntegrity]


!! [{$pagename}] using [SASL]
This appears to be [Microsoft Windows] specific where all [communications] between [client] and [Server] will be [Digitally Signed] providing [Integrity] validation.
For [LDAP] [Clients] this is done using:
* The [signing key] is derived from the [authenticating|authentication] [Digital Identity]'s [Password-hash]
* The [client] calculates the [session Key]
* The [server] receives the [Session Key] from the [Domain Controller] in the [Netlogon service] [response]
An [Man-In-The-Middle] [attacker] with [Replay attack] capabilities has no way of retrieving the [session Key] and therefore will not be able to provide [Digitally Signed] [messages]

!! [Kerberos]
For [implementations] using [SPNEGO] or [GSSAPI], the [client] preforms the [Encryption] of the payload using a [Kerberos] [Session Key] before sending over the wire to [Microsoft Active Directory].

!! [LDAPS] and [StartTLS] [{$pagename}]
[Integrity] validation is part of the [Transport Layer Security] ([TLS]) protocol and is considered acceptable by [Microsoft Active Directory] as [{$pagename}]

!! Failed LDAP [Bind Request]
Windows [Domain Controllers] will return an event when [{$pagename}] is required and not used by the client on a NON-[Transport Layer Security] ([TLS]) connection similar to:

{{{LDAP error code 8 - server log [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 ]
}}}

Most Client should show a [LDAP Result Codes] of 8 indicating [LDAP_STRONG_AUTH_REQUIRED].

!! [{$pagename}] [Domain Controller] [Windows registry]
[HKEY_LOCAL_MACHINE]\SYSTEM\CurrentControlSet\Services\NTDS\Parameters under the value [LDAPServerIntegrity] (LDAPClientIntegrity for Clients):
* 0 - No signing/sealing
* 1 - Negotiate signing/sealing
* 2 - Require signing/sealing (Which is the advice of [ADV190023])

!! Configure [Microsoft Active Directory] and [AD LDS] diagnostic event [logging]
[LDAP] [Windows Security Log|Windows Security Log Event#section-Windows+Security+Log+Event-LDAPMicrosoftActiveDirectoryAndLDSDiagnosticEventLogging] must be at level 2 or higher to reveal these events:

There are several [Windows Security Log Events] to help indicate the status of implementation for [{$pagename}]:
* [Event 2886]
* [Event 2887]
* [Event 2888]
* [Event 2889]


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Event ID 2886 — LDAP signing|https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941856(v=ws.10)?redirectedfrom=MSDN|target='_blank'] - based on information obtained 2020-01-18 
* [#2] - [LDAP signing|https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941832(v=ws.10)?redirectedfrom=MSDN|target='_blank'] - based on information obtained 2020-01-18 
* [#3] - [Identifying Clear Text LDAP binds to your DC's|https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs|target='_blank'] - based on information obtained 2020-01-18 
* [#4] - [Query-InsecureLDAPBinds.ps1|https://github.com/russelltomkins/Active-Directory/blob/master/Query-InsecureLDAPBinds.ps1|target='_blank'] - based on information obtained 2020-01-18 
* [#5] - [LDAP Signing Events Custom View.xml|https://github.com/russelltomkins/Active-Directory/blob/master/LDAP%20Signing%20Events%20Custom%20View.xml|target='_blank'] - based on information obtained 2020-01-18 
* [#6] - [The current Client Signing setting is maintained in the registry (of course) in the key|https://blog.joeware.net/2018/07/07/5842/|target='_blank'] - based on information obtained 2020-01-22 
* [#7] - [How to enable LDAP signing in Windows Server|Wikipedia:https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008|target='_blank'] - based on information obtained 2020-01-22 
</pre>