Overview#

LDAP Signing is a concept within Microsoft Windows during LDAP Bind Request for providing Integrity validation and is part ADV190023 and LDAPServerIntegrity

LDAP Signing using SASL#

This appears to be Microsoft Windows specific where all communications between client and Server will be Digitally Signed providing Integrity validation. For LDAP Clients this is done using:

• The signing key is derived from the authenticating Digital Identity's Password-hash
• The client calculates the session Key
• The server receives the Session Key from the Domain Controller in the Netlogon service response

An Man-In-The-Middle attacker with Replay attack capabilities has no way of retrieving the session Key and therefore will not be able to provide Digitally Signed messages

Kerberos#

For implementations using SPNEGO or GSSAPI, the client preforms the Encryption of the payload using a Kerberos Session Key before sending over the wire to Microsoft Active Directory.

LDAPS and StartTLS LDAP Signing#

Integrity validation is part of the Transport Layer Security (TLS) protocol and is considered acceptable by Microsoft Active Directory as LDAP Signing

Failed LDAP Bind Request#

Windows Domain Controllers will return an event when LDAP Signing is required and not used by the client on a NON-Transport Layer Security (TLS) connection similar to:

LDAP error code 8 - server log [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 ]

Most Client should show a LDAP Result Codes of 8 indicating LDAP_STRONG_AUTH_REQUIRED.

LDAP Signing Domain Controller Windows registry#

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters under the value LDAPServerIntegrity (LDAPClientIntegrity for Clients):

• 0 - No signing/sealing
• 1 - Negotiate signing/sealing
• 2 - Require signing/sealing (Which is the advice of ADV190023)

Configure Microsoft Active Directory and AD LDS diagnostic event logging#

LDAP Windows Security Log must be at level 2 or higher to reveal these events:

There are several Windows Security Log Events to help indicate the status of implementation for LDAP Signing:

• Event 2886
• Event 2887
• Event 2888
• Event 2889

More Information#

There might be more information for this subject on one of the following:

• ADV190023
• LDAPServerIntegrity
• LDAP_STRONG_AUTH_REQUIRED

---

• [#1] - Event ID 2886 — LDAP signing - based on information obtained 2020-01-18
• [#2] - LDAP signing - based on information obtained 2020-01-18
• [#3] - Identifying Clear Text LDAP binds to your DC's - based on information obtained 2020-01-18
• [#4] - Query-InsecureLDAPBinds.ps1 - based on information obtained 2020-01-18
• [#5] - LDAP Signing Events Custom View.xml - based on information obtained 2020-01-18
• [#6] - The current Client Signing setting is maintained in the registry (of course) in the key - based on information obtained 2020-01-22
• [#7] - How to enable LDAP signing in Windows Server - based on information obtained 2020-01-22