How to enable LDAP signing in Windows Server 2008

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION IN RESPONSE TO EMERGING OR UNIQUE TOPICS, AND MAY BE UPDATED AS NEW INFORMATION BECOMES AVAILABLE.

The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as Negotiate, Kerberos, NTLM, or Digest.

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

This article describes how to configure your directory server to protect it from such attacks.

Discovering clients that do not use theRequire signing option

Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. To help identify these clients, the directory server logs a summary event 2887 one time every 24 hours to indicate how many such binds occurred. We recommend that you configure these clients not to use such binds. After no such events are observed for an extended period, we recommend that you configure the server to reject such binds.

If more detailed information is required to identify such clients, the directory server can be configured to provide more detailed logs. This additional logging will log an event 2889 when a client attempts an unsigned LDAP bind. The logging displays the IP address of the client and the identity that the client tried to use to authenticate. This additional logging can be enabled by setting the LDAP Interface Events diagnostic setting to 2 (Basic). For more information about how to change the diagnostic settings, visit the following Microsoft Web site:
http://go.microsoft.com/?linkid=9645087 (http://go.microsoft.com/?linkid=9645087)

If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24hours, when such bind attempts occur.

Configuring the Directory to require LDAP Server Signing

Using Group Policy

Setting of the server LDAP signing requirement

1. Click Start, click Run, type mmc.exe , and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, click Add.
4. In the Select Group Policy Object dialog box, click Browse.
5. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and linked Group Policy Objects area, and then click OK.
6. Click Finish.
7. Click OK.
8. Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
9. Right-click Domain controller: LDAP server signing requirements, and then click Properties.
10. In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.
11. Click Yes in the Confirm Setting Change dialog box.

Setting of the client LDAP signing requirement via local computer policy

1. Click Start, click Run, type mmc.exe , and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.
4. Click Finish.
5. Click OK.
6. Expand Local Computer Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
7. Right-click Network security: LDAP client signing requirements, and then click Properties.
8. In the Network security: LDAP client signing requirements Properties dialog box, click to select Require signing in the drop-down list, and then click OK.
9. Click Yes in the Confirm Setting Change dialog box.

Setting of the client LDAP signing requirement via domain group policy

1. Click Start, click Run, type mmc.exe , and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.
4. Click Browse..., select Default Domain Policy (or the group policy you want to enable client LDAP signing)
5. Click OK.
6. Click Finish.
7. Click Close.
8. Click OK.
9. Expand Default Domain Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
10. In the Network security: LDAP client signing requirements Properties dialog box, click to select Require signing in the drop-down list, and then click OK.
11. Click Yes in the Confirm Setting Change dialog box.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Using Registry Keys

To have us change the registry keys for you, go to the "Fix it for me" section. If you prefer to change the registry keys yourself, go to the "Let me fix it myself" section.

Fix it for me

To fix this problem automatically, click the Fix it button or link. Click Run in the File Download dialog box, and follow the steps in the Fix it wizard.




Notes

• This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
• If you are not using the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.

Then, go to the "Did this fix the problem?" section.

Let me fix it myself

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. Right-click the LDAPServerIntegrity registry entry, and then click Modify.
4. Change Value data to 2, and then click OK.
5. Locate and then click the following registry subkey:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\Parameters
6. Right-click the ldapclientintegrity registry entry, and then click Modify.
7. Change the Value data to 2, and then click OK.

For Active Directory Lightweight Directory Services (AD LDS), the registry key is not available by default. Therefore, you must create a LDAPServerIntegrity registry entry of the REG_DWORD type under the following registry subkey:
NoteInstanceName is the name of your AD LDS instance which you want to change.
Verify Configuration Changes

1. Click Start, click Run, type ldp.exe, and then click OK.
2. Under the Connection menu, click Connect.
3. Type in the server name and non-SSL/TLS port of your directory server in the Server field and the Port field, and then select OK.
   Note For an Active Directory Domain Controller, the applicable port is 389.
4. After establishing a connection, select Bind under the Connection menu.
5. Under Bind type, select Simple bind.
6. Type in the username and password, and then click OK.

You have successfully configured your directory server if you receive the following error message:

Did this fix the problem?

• Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support (http://support.microsoft.com/contactus) .
• We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me (http://blogs.technet.com/fixit4me/) " blog or send us an email (mailto:fixit4me@microsoft.com?Subject=KB) .

DISCLAIMER

MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE FOR ANY PURPOSE. THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME.

For more information on the terms of use, click on the link below:
http://support.microsoft.com/tou/ (http://support.microsoft.com/tou/)

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.