• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 780
  • Last Modified:

LDAP Signing

I am getting Event ID 2886 in a new install of Windows 2008 Server. Is there a downside to enbling the server to  reject simple LDAP bind requests and other bind requests that do not include LDAP signing?
1 Solution
David Johnson, CD, MVPOwnerCommented:
how to set it up in your domain

This policy, as the name indicates, only impacts domain controllers. By default LDAP traffic is unsigned an unencrypted making it vulnerable to man-in-the-middle attacks and eavesdropping. This setting controls whether the domain controller signs data sent to the client which allows the client to make sure the data was not modified in transit. This is important because the client makes security decisions based on LDAP query results. For instance, member servers rely on LDAP queries to find out group membership or to determine which group policy objects should be applied.


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now