Event ID 2888 — LDAP signing

  • Article

Applies To: Windows Server 2008 R2

To enhance the security of directory servers, you can configure both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to require signed Lightweight Directory Access Protocol (LDAP) binds.

Unsigned network traffic is susceptible to replay attacks, in which an intruder intercepts an authentication attempt and the issue of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. In addition, unsigned network traffic is susceptible to man-in-the-middle attacks, in which an intruder captures packets between the client computer and the server, modifies the packets, and then forwards them to the server. When this behavior occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

Consider enhancing the security of your domain controllers by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.

Event Details

Product: Windows Operating System
ID: 2888
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_HAVE_REJECTED_UNSIGNED_CLIENTS
Message: During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection This directory server is configured to reject such binds. This is the recommended configuration setting, and significantly enhances the security of this server. For more details, please see https://go.microsoft.com/fwlink/?LinkID=87923. Summary information on the number of such binds received within the past 24 hours is below. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. Number of simple binds rejected because they were performed without SSL/TLS: "Value" Number of Negotiate/Kerberos/NTLM/Digest binds rejected because they were performed without signing:"Value"

Resolve

Configure client computers to negotiate LDAP signing

The domain controller is configured to reject unsigned and simple LDAP connections, but some client computers are still attempting to make unsigned or simple LDAP connections. To resolve this issue, configure all client computers to use signed LDAP connections. For additional information and configuration details, see article 823659 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=145022).

Discover client computers that do not use signing

Client computers that currently rely on unsigned binds or LDAP simple binds over a non-Secure Sockets Layer / Transport Layer Security (SSL/TLS) connection will stop working if this you make this configuration change. You should first identify all the client computers that are using unsigned binds. When unsigned binds occur, the domain controller will log Event ID 2887 every 24 hours, indicating how many unsigned binds have occurred. If you want to learn specifically which client computers are using unsigned binds to the domain controller, you can enable diagnostic logging for LDAP Interface Events.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on the domain controller on which you want to perform diagnostic logging.

To enable diagnostic logging for LDAP Interface Events:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type the following command, and then press ENTER: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2 
  3. When you are prompted, confirm the overwrite operation by typing Y and pressing ENTER.
  4. Use Event Viewer to locate the Event ID 2889, which is logged each time that a client computer attempts an unsigned LDAP bind. This event displays the client IP address and the account name that was used when the client computer attempted to authenticate.
  5. After you have determined the client computers that are attempting to perform unsigned binds, you can disable the diagnostic logging for LDAP Interface Events by running the following command: **Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0 **
  6. Type Y and press ENTER to confirm the settings overwrite, which disables diagnostic logging for the LDAP Interface.

For additional information about Active Directory diagnostic logging, see article 314980 in the Microsoft Knowledge Base (https://go.microsoft.com/?linkid=145021).

Configuring client computers for LDAP signing

You can configure Microsoft client computers for LDAP signing by using a Group Policy object (GPO) or by using the registry. If you need to configure non-Microsoft LDAP client computers for LDAP signing, consult the vendor’s documentation.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see Installing Remote Server Administration Tools for AD DS (https://go.microsoft.com/?linkid=144909).

Using Group Policy to configure client LDAP signing requirements

If you are unfamiliar with the implications of using GPOs to enforce network policies, first review Group Policy Collection (https://go.microsoft.com/fwlink/?LinkId=145023).

To use Group Policy to configure client computers to use LDAP signing:

  1. Open the Group Policy Management Console. To open the Group Policy Management Console, click Start. In Start Search, type Group Policy Management. Right-click the Group Policy Management icon on the Start menu, and then click Run as administrator.
  2. Expand the forest and domains objects until you locate the domain object and container that applies to the client computers that you want to configure.
  3. Create a new GPO or select an existing GPO that will apply to the client computers on which you want to require LDAP signing.
  4. Right-click the GPO that you have decided to use, and then click Edit.
  5. Expand the following objects in the Group Policy Management Editor: Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then click Security Options.
  6. In the right pane, double-click the Domain security: LDAP client signing requirements policy.
  7. Ensure that the Define this policy setting check box is selected, use the selection box to set Negotiate, and then click OK.
  8. Review the information in the Confirm Setting Change dialog box, and if you are sure you want to make this change, click Yes to continue.

Using a registry key to configure client LDAP signing requirements

You must perform the following procedure on each client computer that you want to change.

To use the registry to configure Microsoft client computers to use signed LDAP bind requests:

  1. Open Registry Editor as an administrator. To open Registry Editor as an administrator, click Start. In Start Search, type RegEdit. At the top of the Start menu, right-click Regedit, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP, in the left pane, right-click LDAPClientIntegrity, and then click Modify.
  3. Type 1 for Value data to configure the server to reject simple or unsigned LDAP bind requests, and then click OK.

For non-Microsoft clients or LDAP applications, see the specific vendor documentation.

Verify

Membership in Domain Users, or equivalent, is the minimum required to perform the following procedure. Review details about default group memberships at https://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see Installing Remote Server Administration Tools for AD DS (https://go.microsoft.com/?linkid=144909).

To verify that the directory is configured to reject simple LDAP connections:

  1. Open Ldp. To open Ldp, click Start. In Start Search, type ldp. Right-click the Ldp icon on the Start menu, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Click the Ldp Connection menu, and then click Connect. In Server, type the host name of the server to which you want to connect. Ensure that Port is set to 389 and that the Connectionless and SSL check boxes are cleared, and then click OK.
  3. Click the Connection menu, and then click Bind.
  4. In the Bind dialog box, click Simple bind
  5. In User, type domainname\username, where domainname is the actual name of the domain and username is the name of the account that you are using. Enter your password in the Password box, and then click OK.

If the command output in the results pane displays an error message that reads "Ldap_simple_bind_s() failed: Strong Authentication Required" or "Error 0x2028: A more secure authentication method is required for this server," the domain controller is configured to reject simple LDAP binds. However, if the command output reads "Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'," the directory is allowing simple LDAP binds.

When client computers make or attempt to make unsigned or simple connections to the directory, Event ID 2887 from source Microsoft-Windows-ActiveDirectory_DomainService is logged to the Directory Service log on the domain controller. If you do not see that event in the Directory Service log, client computers are not attempting to make unsigned or simple LDAP connections to the domain controller.

LDAP signing

Active Directory