4 comments

Domain controller: LDAP server signing requirements and Simple Binds

Published on Thursday, September 22, 2016 in

Lately I’ve been wondering about the impact of the following setting: Domain controller: LDAP server signing requirements. The documentation (TechNet #1 and TechNet #2 ) spells it out pretty well: This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. You can set it to either None or Required. None is the default and allows signing if the client asks for it.

Sometimes when I read information I read too fast and draw my conclusion. Shame on me. Wrong conclusion from my side: configuring this setting to required requires all connection to use LDAPS (TCP 636). Nope. It says data signing! Signing can be perfectly done with traffic targetted at both LDAP (TCP 389) or LDAPS (TCP 636).

From AskDS: Understanding LDAP Security Processing I learned various things about simple binds. Simple binds send your username and password in clear text. Needless to say that in combination with LDAP you’re at risk. On the other hand, if the communication is using LDAPS, sending passords in clear text could be acceptable. 

Now the documentation I referenced earlier is a bit conflicting on this topic:

  • This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL.
  • If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected.
  • Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.

Now it might be just me but I would phrase that in another way. Both articles suffer from the same wording. So like with any other uncertainty we just test it. Once you see and experience it you’ll never forget!

This is part of the Default Domain Controller Policy on Windows Server 2012 R2:

image

I changed it to:

image

Now using LDP.exe we can do some tests:

Connecting over LDAPS:

image

Performing a simple bind:

image

And the result:

image

Now if we try to connect over LDAP:

image

Bind like before. But now we get:

image

In words: Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required
Server error: 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580
Error 0x2028 A more secure authentication method is required for this server.

Conclusion:

All of this is definitely not new. But writing about it helps me never forget it. Setting the LDAP Server Signing Settings to required will probably require some planning and testing. But it doesn’t mean you can’t use simple binds. As long as you can configure your application to use LDAPS. Your domain controller should be logging a warning event every once in a while when simple binds or unsigned LDAP traffic is seen. Here’s some more info on this event: Event ID 2887 — LDAP signing.

If you want to read more on LDAP signing, please check KB935834: How to enable LDAP signing in Windows Server 2008