Article ID: 935834 - View products that this article applies to.
RAPID PUBLISHINGRAPID PUBLISHING ARTICLES PROVIDE INFORMATION IN RESPONSE TO EMERGING OR UNIQUE TOPICS AND MAY BE UPDATED AS NEW INFORMATION BECOMES AVAILABLE.
The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols.
Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.
This article describes how to configure your directory server to protect it from such attacks.
How to discover clients that do not use the "Require signing" optionClients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. To help identify these clients, the directory server logs a summary event 2887 one time every 24 hours to indicate how many such binds occurred. We recommend that you configure these clients not to use such binds. After no such events are observed for an extended period, we recommend that you configure the server to reject such binds.
If you must have more information to identify such clients, you can configure the directory server to provide more detailed logs. This additional logging will log an event 2889 when a client tries to make an unsigned LDAP bind. The logging displays the IP address of the client and the identity that the client tried to use to authenticate. You can enable this additional logging by setting the LDAP Interface Events diagnostic setting to 2 (Basic). For more information about how to change the diagnostic settings, go to the following Microsoft website:
http://go.microsoft.com/?linkid=9645087If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24 hours when such bind attempts occur.
How to configure the directory to require LDAP server signing
Using Group Policy
How to set the server LDAP signing requirement
How to set the client LDAP signing requirement through local computer policy
How to set the client LDAP signing requirement through a domain Group Policy Object
(http://support.microsoft.com/kb/823659/ )Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
How to use registry keysTo have us change the registry keys for you, go to the "Fix it for me" section. If you prefer to change the registry keys yourself, go to the "Let me fix it myself" section.
Fix it for meTo fix this problem automatically, click the Fix it button or link, click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
Fix this problemNotes
Microsoft Fix it 50518
Let me fix it myselfImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Note The placeholder <InstanceName> represents the name of the AD LDS instance that you want to change.
How to verify configuration changes
Ldap_simple_bind_s() failed: Strong Authentication Required
Did this fix the problem?
DISCLAIMERMICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION THAT IS CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE FOR ANY PURPOSE. THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME.
Article ID: 935834 - Last Review: July 5, 2012 - Revision: 6.0