Disabling LDAP Encryption and Signing for Netmon on an Exchange server
It’s been a while since my last post, but I’ve been super busy. I wanted to post something that I often have to do with customers.
There may be times when in order to further troubleshoot a problem, you need to capture a Network Monitor trace. Netmon is very helpful in finding delays, and LDAP errors. However, there is one major hurdle. Virtually all LDAP traffic is signed and sealed, and encrypted. This unfortunately makes viewing the queries and responses impossible by default. You would see something similar to the following.
|LDAP||LDAP: GSS-API Encrypted Payload|
And that is all you will see. Of course, this makes troubleshooting much harder, because you can’t see what queries are being issued, or what the Domain Controller is responding with. Fortunately, there are ways to turn off LDAP encryption. I have gathered together the following list of things that need to be done in order to ensure that all forms of LDAP encryption are disabled. Some steps are only for Exchange 2003, and others are only for Exchange 2007. Where specific to a version, I have included which version it applies to.
Here are the steps to turn off LDAP encryption. There are a few different places we have to do this in order to catch everything.
These steps apply to both Exchange 2003 and Exchange 2007
1. Modify the Local Security Policy.
Under Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. Find the policy setting “Network Security: LDAP client signing requirements”. Note that the default is set to “Negotiate signing”. On the Domain Controller side, it is actually set to None by default, but since the client requests to negotiate, it will always be signed if supported. Set this to None on the “client” (the Exchange server is the client in this case). You should also check the Default Domain Controller group policy, as if the LDAP signing policy is set to Negotiate, or Require, you will need to modify the Domain Controller policy as well.
2. Set the following registry key and value on the Exchange server. If the AdminDebug key is not present, add it. This registry value disables Encrypted LDAP Bind’s. Normally, once a Bind request is issued, all LDAP traffic sent after that will be encrypted.
New DWORD value: ADsOpenObjectFlags
Data Value: 0x3
Per KB 325465, the following values correspond with the following actions. As you can see, by setting the value to 0x3, we disable both Signing and Encryption.
Value Data (Hexadecimal) Disables
3 Encryption and Signing
This step is for Exchange 2007 only
3. Add the following registry key to disable LDAP encryption for the Exchange 2007 DSAccess process
New DWORD value: Disable LDAP Encryption
Data Value: 0x1
This step is for Exchange 2003 only
4. Per KB818479, to disable signing and encryption for traffic created by Exchange 2003 Admin tools, add the following value
New DWORD value: DebugLDAP
Data Value: 0x1
Once you have set all of these options, you should be good to go. Get another Netmon trace, and you should now be able to view the contents of every LDAP frame. On rare occasions, you may need to reboot to get all of these settings to be correctly read. Also, don’t forget to undo any changes that are made once you are done. Signing and Encryption of LDAP traffic is a good thing to have in place for security reasons, so only leave this disabled as long as you need to.