Avatar of sara2000
sara2000
 asked on

LDAP binding and AD

AD experts out there, you will be able to shed light on LDAP channel binding, LDAP signing, and Kerberos authentication. I have been reading the link below and states that the March 2020 update will enable LDAP signing on the Active Directory server by default. My understanding is that any device which use LDAP is going to be broken,
We have windows 2012 AD domain controllers and Windows 10 PCs, All the PC are part of the AD in this case they use Kerberos authentication so we do not need to worry about LDAP signing unless we use any non-AD device for LDAP query then we have to make sure that they use SSL/TLS, am I connect?
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-window
My next question,
Where and when do this LDAP channel binding and LDAP signing come into account in AD?
* LDAPActive Directory

Avatar of undefined
Last Comment
Darrell Porter

8/22/2022 - Mon
Darrell Porter

LDAP bindings which are simple or unsecured will fail following the March 2020 patches.

The first thing you need to do is download the LDAP query Powershell script from Github.  Read this article for a link to the script repository.

Once you have that, you will need to follow the instructions to temporarily set the diagnostic logging level to 3 for all domain controllers.

You will let your domain controllers run like this for at least 24 hours and then run the script on each domain controller in an elevated Powershell process.  The script will output a list of any process using simple or unsecured LDAP.
sara2000

ASKER
I have done all and identified the devices which use LDAP. I have not seen any desktop with that event.

My confusion about the desktop. Is the desktop use LDAP for any AD queries?
Darrell Porter

Domain-joined workstations do not use LDAP for Active Directory enumeration.  They use native AD call for this work.  LDAP is generally used by third-party tools to perform single-sign-on authentication with Active Directory.

For example, VMware uses LDAP to perform AD-integrated authentication.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Darrell Porter

And you do need to allow the Domain Controllers to collect LDAP messages for at least 24 hours to generally ensure there are no affected LDAP connections in your environment.
sara2000

ASKER
Thanks for the reply. We ran the script and found a few devices which use LDAP. I have a question about the March 2020 security updates. My assumption is the update will enable only LDAPs the devices will break if we do not configure for LDAPs.
Do we have to do anything on the domain controllers other than applying March 2020 patches? That is, enforcing the LDAP signing policy via GP.
Darrell Porter

The only systems which should be answering LDAP queries in the average environment are your domain controllers.
It would be best to identify what devices or applications are performing LDAP queries and ensure these are doing so securely.
Your workstations should not be performing any LDAP queries inside or outside of the organization under normal circumstances.  I they are doing so, that would be suspicious behavior unless you know you have a documented application performing these queries.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
sara2000

ASKER
Thanks Darrell  
I found the devices and changed the configuration to use TLS. All good now. However I noticed an another article over the internet  which says edit the registry to enforce the LDAP binding. This is where  my confusion.
I configured the client to use TLS and did not make change on registry to enforce LDAP binding.
Does this means that my client can be vulnerable though they use TLS?
Darrell Porter

It would help to answer your question if you could post the relevant URLs you are looking at to this thread.
sara2000

ASKER
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
Darrell Porter

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
sara2000

ASKER
If I understood the LDAP channel binding is used with foreign AD, am i correct?
Darrell Porter

It can be your domain reaching out to a foreign domain or, like Fiery print servers, a foreign host performing LDAP lookups against your Active Directory.