LDAP Interface issue in Active Directory Domain Service

How does one address to this warning:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          7/10/2009 3:16:08 PM
Event ID:      2886
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      SERVER.domain.local
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds
rkkhandelwal54Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henrik JohanssonSystems engineerCommented:
Change the following policy policy settings

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
 Domain Controller: LDAP Server signing requirements = require
 Network Security: LDAP Client signing requirements = negiotiate

If the server side is set to require, all clients nead to respond with atleast negotiate
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rkkhandelwal54Author Commented:
Thanks for the post. It is my mistake that i did not mention that I cam getting this on my SBS 2008 which is a clean install. I believe that I shall have to change the settings in the Group Policy. I shall be grateful if the exact path is specified.
0
Henrik JohanssonSystems engineerCommented:
The full path was posted with the policy settings indented under the path line, but GPO management of 2008 has an additional path level for separating Policies and Preferences.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
    Domain Controller: LDAP Server signing requirements = require
    Network Security: LDAP Client signing requirements = negiotiate


0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

rkkhandelwal54Author Commented:
Thanks for the post. The resolution provided by you is for Windows XP but the message is seen on the SBS 2008 as can be seen in the post:
Computer:      SERVER.domain.local
 
0
Henrik JohanssonSystems engineerCommented:
The 'Domain Controller: LDAP server signing requirement' is server side and nead to be set on the DCs.

The 'Network security: LDAP client signing requireement' is client side. The default value on XP and newer is negotiate and shouldn't nead to be modified.
0
rkkhandelwal54Author Commented:
The followiing link provided the solution which I was looking for:
How to enable LDAP signing in Windows Server 2008
http://support.microsoft.com/kb/935834
Thanks.
0
Henrik JohanssonSystems engineerCommented:
The necessary policy setting has been included in each of my posts, so I don't see why I don't get any points awarded.
It's ok for me if author want to include his post with the KB, but I still request points to be awarded.
0
rkkhandelwal54Author Commented:
The path you mentioned was not seen in the GP Management Console and on searching further the refrenced KB article was found. A detailed response would have been valuable for everyone.
0
rkkhandelwal54Author Commented:
The settings provided by the Expert could not be found in the GP Management console and was obtained from the KB article. Expert should understand that everyone looking for a solution is not an expert and may be a novice too.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.