Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

LDAP Interface issue in Active Directory Domain Service

Posted on 2009-07-10
9
Medium Priority
?
892 Views
Last Modified: 2013-12-24
How does one address to this warning:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          7/10/2009 3:16:08 PM
Event ID:      2886
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      SERVER.domain.local
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds
0
Comment
Question by:rkkhandelwal54
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 300 total points
ID: 24831316
Change the following policy policy settings

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
 Domain Controller: LDAP Server signing requirements = require
 Network Security: LDAP Client signing requirements = negiotiate

If the server side is set to require, all clients nead to respond with atleast negotiate
0
 

Author Comment

by:rkkhandelwal54
ID: 24833374
Thanks for the post. It is my mistake that i did not mention that I cam getting this on my SBS 2008 which is a clean install. I believe that I shall have to change the settings in the Group Policy. I shall be grateful if the exact path is specified.
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 300 total points
ID: 24833855
The full path was posted with the policy settings indented under the path line, but GPO management of 2008 has an additional path level for separating Policies and Preferences.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
    Domain Controller: LDAP Server signing requirements = require
    Network Security: LDAP Client signing requirements = negiotiate


0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:rkkhandelwal54
ID: 24834299
Thanks for the post. The resolution provided by you is for Windows XP but the message is seen on the SBS 2008 as can be seen in the post:
Computer:      SERVER.domain.local
 
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 24834601
The 'Domain Controller: LDAP server signing requirement' is server side and nead to be set on the DCs.

The 'Network security: LDAP client signing requireement' is client side. The default value on XP and newer is negotiate and shouldn't nead to be modified.
0
 

Author Comment

by:rkkhandelwal54
ID: 24884795
The followiing link provided the solution which I was looking for:
How to enable LDAP signing in Windows Server 2008
http://support.microsoft.com/kb/935834
Thanks.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 24887443
The necessary policy setting has been included in each of my posts, so I don't see why I don't get any points awarded.
It's ok for me if author want to include his post with the KB, but I still request points to be awarded.
0
 

Author Comment

by:rkkhandelwal54
ID: 24888390
The path you mentioned was not seen in the GP Management Console and on searching further the refrenced KB article was found. A detailed response would have been valuable for everyone.
0
 

Author Closing Comment

by:rkkhandelwal54
ID: 31602360
The settings provided by the Expert could not be found in the GP Management console and was obtained from the KB article. Expert should understand that everyone looking for a solution is not an expert and may be a novice too.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question