Overview#

LDAPServerIntegrity is a Microsoft Active Directory setting in the Windows registry on Domain Controllers to indicate the policy for "LDAP Signing"

Microsoft in order to prevent Man-In-The-Middle (MiTM) Replay attacks which are considered DUA (clients) which performed Bind Requests without integrity of the LDAP Message which are either:

• A SASL (Negotiate SSP, Kerberos, NTLM, or Digest SSP) LDAP Bind Request that did not request signing (LDAPServerIntegrity), or
• A LDAP Simple Authentication Bind Request that was performed on a cleartext (non-SSL/TLS-encrypted) connection

Configuring Domain Controllers for LDAP Signing#

You can use a Windows registry key or Group Policy Object (GPO) to configure Domain Controllers for LDAP Signing

More Information#

There might be more information for this subject on one of the following:

• Event 2886
• Event 2887
• Event 2888
• Event 2889
• LDAP Signing

---

• [#1] - Event ID 2886 — LDAP signing - based on information obtained 2020-01-18
• [#2] - LDAP signing - based on information obtained 2020-01-18
• [#3] - Identifying Clear Text LDAP binds to your DC's - based on information obtained 2020-01-18
• [#4] - Query-InsecureLDAPBinds.ps1 - based on information obtained 2020-01-18
• [#5] - LDAP Signing Events Custom View.xml - based on information obtained 2020-01-18