Overview#
LDAPServerIntegrity is a Microsoft Active Directory setting in the Windows registry on Domain Controllers to indicate the policy for "LDAP Signing"Microsoft in order to prevent Man-In-The-Middle (MiTM) Replay attacks which are considered DUA (clients) which performed Bind Requests without integrity of the LDAP Message which are either:
- A SASL (Negotiate SSP, Kerberos, NTLM, or Digest SSP) LDAP Bind Request that did not request signing (LDAPServerIntegrity), or
- A LDAP Simple Authentication Bind Request that was performed on a cleartext (non-SSL/TLS-encrypted) connection
Configuring Domain Controllers for LDAP Signing#
You can use a Windows registry key or Group Policy Object (GPO) to configure Domain Controllers for LDAP SigningMore Information#
There might be more information for this subject on one of the following:- [#1] - Event ID 2886 — LDAP signing
- based on information obtained 2020-01-18
- [#2] - LDAP signing - based on information obtained 2020-01-18
- [#3] - Identifying Clear Text LDAP binds to your DC's - based on information obtained 2020-01-18
- [#4] - Query-InsecureLDAPBinds.ps1 - based on information obtained 2020-01-18
- [#5] - LDAP Signing Events Custom View.xml - based on information obtained 2020-01-18
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!