Find answers to frequently asked questions about the changes to Lightweight Directory Access Protocol (LDAP).

To learn more, go to ADV190023.


Note This article will be updated regularly with additional questions and answers in response to customer feedback.

Frequently asked questions

LDAP Clients that do not enable or support signing will not connect.

LDAP Simple Binds over non-TLS connections will not work if LDAP signing is required.

LDAP clients that connect over SSL/TLS, but do not provide CBT, will fail if the server requires CBT.

SSL/TLS connections that are terminated by an intermediate server that in turn issues a new connection to an Active Directory Domain Controller, will fail.

Support for channel binding maybe less common on third-party operating systems and applications than it is for LDAP signing.


Windows applications that are built on .NET Framework, Active Directory Service Interfaces (ADSI), or make LDAP calls into WLDAP32 which handles LDAP signing and channel binding for you. Please contact your SDK equivalent for non- windows device O/S, service, and applications.

No. When SASL with signing is used, LDAP is more secure over port 389.

The policies are enabled only on DCs.


Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!