Link to home
Start Free TrialLog in
Avatar of sara2000

asked on

LDAP binding and AD

AD experts out there, you will be able to shed light on LDAP channel binding, LDAP signing, and Kerberos authentication. I have been reading the link below and states that the March 2020 update will enable LDAP signing on the Active Directory server by default. My understanding is that any device which use LDAP is going to be broken,
We have windows 2012 AD domain controllers and Windows 10 PCs, All the PC are part of the AD in this case they use Kerberos authentication so we do not need to worry about LDAP signing unless we use any non-AD device for LDAP query then we have to make sure that they use SSL/TLS, am I connect?
My next question,
Where and when do this LDAP channel binding and LDAP signing come into account in AD?
Avatar of Darrell Porter
Darrell Porter
Flag of United States of America image

LDAP bindings which are simple or unsecured will fail following the March 2020 patches.

The first thing you need to do is download the LDAP query Powershell script from Github.  Read this article for a link to the script repository.

Once you have that, you will need to follow the instructions to temporarily set the diagnostic logging level to 3 for all domain controllers.

You will let your domain controllers run like this for at least 24 hours and then run the script on each domain controller in an elevated Powershell process.  The script will output a list of any process using simple or unsecured LDAP.
Avatar of sara2000


I have done all and identified the devices which use LDAP. I have not seen any desktop with that event.

My confusion about the desktop. Is the desktop use LDAP for any AD queries?
Domain-joined workstations do not use LDAP for Active Directory enumeration.  They use native AD call for this work.  LDAP is generally used by third-party tools to perform single-sign-on authentication with Active Directory.

For example, VMware uses LDAP to perform AD-integrated authentication.
And you do need to allow the Domain Controllers to collect LDAP messages for at least 24 hours to generally ensure there are no affected LDAP connections in your environment.
Thanks for the reply. We ran the script and found a few devices which use LDAP. I have a question about the March 2020 security updates. My assumption is the update will enable only LDAPs the devices will break if we do not configure for LDAPs.
Do we have to do anything on the domain controllers other than applying March 2020 patches? That is, enforcing the LDAP signing policy via GP.
The only systems which should be answering LDAP queries in the average environment are your domain controllers.
It would be best to identify what devices or applications are performing LDAP queries and ensure these are doing so securely.
Your workstations should not be performing any LDAP queries inside or outside of the organization under normal circumstances.  I they are doing so, that would be suspicious behavior unless you know you have a documented application performing these queries.
Thanks Darrell  
I found the devices and changed the configuration to use TLS. All good now. However I noticed an another article over the internet  which says edit the registry to enforce the LDAP binding. This is where  my confusion.
I configured the client to use TLS and did not make change on registry to enforce LDAP binding.
Does this means that my client can be vulnerable though they use TLS?
It would help to answer your question if you could post the relevant URLs you are looking at to this thread.
Avatar of Darrell Porter
Darrell Porter
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If I understood the LDAP channel binding is used with foreign AD, am i correct?
It can be your domain reaching out to a foreign domain or, like Fiery print servers, a foreign host performing LDAP lookups against your Active Directory.