WinSecWiki > Security Settings > Local Policies > Security Options > Domain Controller > LDAP server signing requirements

Domain Controller: LDAP server signing requirements

This policy, as the name indicates, only impacts domain controllers. By default LDAP traffic is unsigned an unencrypted making it vulnerable to man-in-the-middle attacks and eavesdropping. This setting controls whether the domain controller signs data sent to the client which allows the client to make sure the data was not modified in transit. This is important because the client makes security decisions based on LDAP query results. For instance, member servers rely on LDAP queries to find out group membership or to determine which group policy objects should be applied.

If you configure this policy as None, the server will not require data signatures but will provide them if requested by the client. “Require signature” means the domain controller will only bind with clients that negotiate LDAP data-signing OR are using TLS/SSL. If the client established the LDAP connect with SSL, data-signing is redundant. (Domain controllers support LDAP over SSL).

Requiring LDAP data-signing can break many LDAP clients although Windows servers and workstations should support it without problem. If you use any non-Windows LDAP clients such as AD integrated Mac systems or Linux systems or other applications that communicate with AD via LDAP be very careful about requiring data signing. Research and test. Some clients support it. For LDAP clients that don’t support signing you may consider LDAP over SSL.

Apparently, LDAP signing also includes encryption of the payload portions of LDAP packets. However only IPSec or SSL provide complete encryption of the entire LDAP traffic stream.

LDAP signing functionally has had numerous revisions so make sure all systems are running the latest service pack to eliminate compatibility problems especially if you are authenticating via NTLM instead of Kerberos. 

Bottom line

All Microsoft LDAP clients automatically request LDAP signing from domain controllers so, chances are, your network’s LDAP connections are already signed and encrypted without configuring this option. If you are sure all your non-Microsoft clients support signing, go ahead and require it.

Back to top


Additional Resources