Domain Controller: LDAP server signing requirements

Expand / Collapse

Domain Controller: LDAP server signing requirements

This policy, as the name indicates, only impacts domain controllers. By default LDAP traffic is unsigned an unencrypted making it vulnerable to man-in-the-middle attacks and eavesdropping. This setting controls whether the domain controller signs data sent to the client which allows the client to make sure the data was not modified in transit. This is important because the client makes security decisions based on LDAP query results. For instance, member servers rely on LDAP queries to find out group membership or to determine which group policy objects should be applied.

If you configure this policy as None, the server will not require data signatures but will provide them if requested by the client. “Require signature” means the domain controller will only bind with clients that negotiate LDAP data-signing OR are using TLS/SSL. If the client established the LDAP connect with SSL, data-signing is redundant. (Domain controllers support LDAP over SSL; see ??? for more details).

Requiring LDAP data-signing can break many LDAP clients although Windows servers and workstations should support it without problem. If you use any non-Windows LDAP clients such as AD integrated Mac systems or Linux systems or other applications that communicate with AD via LDAP be very careful about requiring data signing. Research and test. Some clients support it. For LDAP clients that don’t support signing you may consider LDAP over SSL. See ??? for more details.

Apparently, LDAP signing also includes encryption of the payload portions of LDAP packets. However only IPSec or SSL provide complete encryption of the entire LDAP traffic stream.

LDAP signing functionally has had numerous revisions so make sure all systems are running the latest service pack to eliminate compatibility problems especially if you are authenticating via NTLM instead of Kerberos.

Bottom line

All Microsoft LDAP clients automatically request LDAP signing from domain controllers so, chances are, your network’s LDAP connections are already signed and encrypted without configuring this option. If you are sure all your non-Microsoft clients support signing, go ahead and require it.

User Comments

Click to subscribe to comments RSS feed...

No Member Photo
View Members Profile...,Posted By by shivaraj added Wednesday, June 9, 2010

I changed both "Domain Controller: LDAP server signing requirements" and "Network security: LDAP client signing requirements". But I am still able to connect to my Active Directory with "Softerra LDAP Administrator" with port 389 and Simple mechanism. Any idea why? And all my previous clients (which uses simple JNDI technique) are still working!!!<br />
Helpful? YesYes NoNo

Add Your Comments

Name: *
Email Address:
Web Address:
Verification Code:

Rated 5 stars based on 1 vote.
Article has been viewed 17,778 times.