Find answers to frequently asked questions about the changes to Lightweight Directory Access Protocol (LDAP).
To learn more, go to ADV190023.
Note This article will be updated regularly with additional questions and answers in response to customer feedback.
Frequently asked questions
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
KB4520412 2020 LDAP channel binding and LDAP signing requirement for Windows
KB935834 How to enable LDAP signing in Windows Server 2008
KB4563239 LDAP session security settings and requirements after ADV190023 is installed
Blogs.TN: Identifying Clear Text LDAP binds to your DC’s (Published January 13, 2016)
IETF: Token Binding over HTTP
This document describes a collection of mechanisms that enable HTTP servers to cryptographically bind authentication tokens (such as cookies and OAuth tokens) to SSL/TLS [RFC5246] connections.
This blog describes audit events logged by devices not using signed LDAP binds or channel binding tokens.
LDAP Clients that do not enable or support signing will not connect.
LDAP Simple Binds over non-TLS connections will not work if LDAP signing is required.
LDAP clients that connect over SSL/TLS, but do not provide CBT, will fail if the server requires CBT.
SSL/TLS connections that are terminated by an intermediate server that in turn issues a new connection to an Active Directory Domain Controller, will fail.
Support for channel binding maybe less common on third-party operating systems and applications than it is for LDAP signing.
Windows applications that are built on .NET Framework, Active Directory Service Interfaces (ADSI), or make LDAP calls into WLDAP32 which handles LDAP signing and channel binding for you. Please contact your SDK equivalent for non- windows device O/S, service, and applications.
No. When SASL with signing is used, LDAP is more secure over port 389.
The policies are enabled only on DCs.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.
We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.