LDAP Interface issue in Active Directory Domain Service
How does one address to this warning:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDi
Date: 7/10/2009 3:16:08 PM
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVER.domain.local
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDi
Date: 7/10/2009 3:16:08 PM
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVER.domain.local
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the post. The resolution provided by you is for Windows XP but the message is seen on the SBS 2008 as can be seen in the post:
Computer: SERVER.domain.local
Computer: SERVER.domain.local
The 'Domain Controller: LDAP server signing requirement' is server side and nead to be set on the DCs.
The 'Network security: LDAP client signing requireement' is client side. The default value on XP and newer is negotiate and shouldn't nead to be modified.
The 'Network security: LDAP client signing requireement' is client side. The default value on XP and newer is negotiate and shouldn't nead to be modified.
ASKER
The followiing link provided the solution which I was looking for:
How to enable LDAP signing in Windows Server 2008
http://support.microsoft.c
Thanks.
How to enable LDAP signing in Windows Server 2008
http://support.microsoft.c
Thanks.
The necessary policy setting has been included in each of my posts, so I don't see why I don't get any points awarded.
It's ok for me if author want to include his post with the KB, but I still request points to be awarded.
It's ok for me if author want to include his post with the KB, but I still request points to be awarded.
ASKER
The path you mentioned was not seen in the GP Management Console and on searching further the refrenced KB article was found. A detailed response would have been valuable for everyone.
ASKER
The settings provided by the Expert could not be found in the GP Management console and was obtained from the KB article. Expert should understand that everyone looking for a solution is not an expert and may be a novice too.
ASKER