Frequently asked questions about changes to Lightweight Directory Access Protocol

• ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

• KB4520412 2020 LDAP channel binding and LDAP signing requirement for Windows

• KB935834 How to enable LDAP signing in Windows Server 2008

• KB4563239 LDAP session security settings and requirements after ADV190023 is installed

• Blogs.TN: Identifying Clear Text LDAP binds to your DC’s (Published January 13, 2016)

• IETF: Token Binding over HTTP

  • This document describes a collection of mechanisms that enable HTTP servers to cryptographically bind authentication tokens (such as cookies and OAuth tokens) to SSL/TLS [RFC5246] connections.

• TechCommunity: LDAP Channel Binding and LDAP Signing Requirements - March update NEW behavior

  • This blog describes audit events logged by devices not using signed LDAP binds or channel binding tokens.

LDAP Clients that do not enable or support signing will not connect.

LDAP Simple Binds over non-TLS connections will not work if LDAP signing is required.

LDAP clients that connect over SSL/TLS, but do not provide CBT, will fail if the server requires CBT.

SSL/TLS connections that are terminated by an intermediate server that in turn issues a new connection to an Active Directory Domain Controller, will fail.

Support for channel binding maybe less common on third-party operating systems and applications than it is for LDAP signing.

No.

Windows applications that are built on .NET Framework, Active Directory Service Interfaces (ADSI), or make LDAP calls into WLDAP32 which handles LDAP signing and channel binding for you. Please contact your SDK equivalent for non- windows device O/S, service, and applications.

No. When SASL with signing is used, LDAP is more secure over port 389.

The policies are enabled only on DCs.