[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 519
  • Last Modified:

active directory domain service

Hello, I need some help and a detailed explanation please.
I'm running a domain with active directory and domain controller off the same windows 2008 server.
Every day I get the following warning.

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
Summary information on the number of these binds received within the past 24 hours is below.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Number of simple binds performed without SSL/TLS: 332
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0

I've looked online for an explanation and a fix but I'm having trouble understanding the solutions. Can someone please explain to me what this means and how to fix it.
Please & thank you
1 Solution
Will SzymkowskiSenior Solution ArchitectCommented:
This is simply a warning message regarding to LDAP for unsigned ldap requests. This is basically telling you to enhance your security for ldap binding to ensure that the request need to be signed.

See the following technet to accomplish this. Just remember that if you are going to implement this change make sure that your applicaitons trying to do ldap binds can work with this security. If they can't simply ignore this event.

MS illustrates this event as it "could" be a security concern if ldap binds are not signed.


Hope this helps!

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now