How to enable LDAP signing in Windows Server 2008

The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols.

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

This article describes how to configure your directory server to protect it from such attacks.

How to discover clients that do not use the "Require signing" option

Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. To help identify these clients, the directory server logs a summary event 2887 one time every 24 hours to indicate how many such binds occurred. We recommend that you configure these clients not to use such binds. After no such events are observed for an extended period, we recommend that you configure the server to reject such binds.

If you must have more information to identify such clients, you can configure the directory server to provide more detailed logs. This additional logging will log an event 2889 when a client tries to make an unsigned LDAP bind. The logging displays the IP address of the client and the identity that the client tried to use to authenticate. You can enable this additional logging by setting the LDAP Interface Events diagnostic setting to 2 (Basic). For more information about how to change the diagnostic settings, go to the following Microsoft website:If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24 hours when such bind attempts occur.

How to configure the directory to require LDAP server signing

Using Group Policy

How to set the server LDAP signing requirement

1. Click Start, click Run, type mmc.exe, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.
4. In the Select Group Policy Object dialog box, click Browse.
5. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and linked Group Policy Objects area, and then click OK.
6. Click Finish.
7. Click OK.
8. Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
9. Right-click Domain controller: LDAP server signing requirements, and then click Properties.
10. In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.
11. In the Confirm Setting Change dialog box, click Yes.

How to set the client LDAP signing requirement through local computer policy

1. Click Start, click Run, type mmc.exe, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.
4. Click Finish.
5. Click OK.
6. Expand Local Computer Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
7. Right-click Network security: LDAP client signing requirements, and then click Properties.
8. In the Network security: LDAP client signing requirements Properties dialog box, click to select Require signing in the drop-down list, and then click OK.
9. In the Confirm Setting Change dialog box, click Yes.

How to set the client LDAP signing requirement through a domain Group Policy Object

1. Click Start, click Run, type mmc.exe, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.
4. Click Browse, and then select Default Domain Policy (or the Group Policy Object for which you want to enable client LDAP signing).
5. Click OK.
6. Click Finish.
7. Click Close.
8. Click OK.
9. Expand Default Domain Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
10. In the Network security: LDAP client signing requirements Properties dialog box, click to select Require signing in the drop-down list, and then click OK.
11. In the Confirm Setting Change dialog box, click Yes.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

How to use registry keys

To have us change the registry keys for you, go to the "Fix it for me" section. If you prefer to change the registry keys yourself, go to the "Let me fix it myself" section.

Fix it for me

To fix this problem automatically, click the Fix it button or link, click Run in the File Download dialog box, and then follow the steps in the Fix it wizard. Notes

• This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
• If you are not using the computer that has the problem, save the Fix it solution to a flash drive or a CD, and then run it on the computer that has the problem.

Then, go to the "Did this fix the problem?" section.

Let me fix it myself

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. Right-click the LDAPServerIntegrity registry entry, and then click Modify.
4. Change Value data to 2, and then click OK.
5. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\Parameters
6. Right-click the ldapclientintegrity registry entry, and then click Modify.
7. Change the Value data to 2, and then click OK.

By default, for Active Directory Lightweight Directory Services (AD LDS), the registry key is not available. Therefore, you must create a LDAPServerIntegrity registry entry of the REG_DWORD type under the following registry subkey: Note The placeholder <InstanceName> represents the name of the AD LDS instance that you want to change.

How to verify configuration changes

1. Click Start, click Run, type ldp.exe, and then click OK.
2. Under the Connection menu, click Connect.
3. In the Server field and in the Port field, type the server name and the non-SSL/TLS port of your directory server, and then click OK.
   
   Note For an Active Directory Domain Controller, the applicable port is 389.
4. After a connection is established, select Bind on the Connection menu.
5. Under Bind type, select Simple bind.
6. Type the user name and password, and then click OK.

if you receive the following error message, you successfully configured your directory server:

Did this fix the problem?

• Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support
  (http://support.microsoft.com/contactus)
  .
• We would appreciate your feedback. To provide feedback or to report any issues with this solution, leave a comment on the "Fix it for me
  (http://blogs.technet.com/fixit4me/)
  " blog, or send us an email message
  (mailto:fixit4me@microsoft.com?Subject=KB)
  .