Getting Ready for LDAP Channel Binding & LDAP Signing Changes on March 10 Windows Update

Hello guys,

It’s been a while since my last blog post, and today I want to talk with you about the expected changes with LDAP Channel Binding and LDAP Signing.

Many blog posts and articles were written about this subject, but after reading them I still found it difficult to understand the meanings and implications of the expected changes in LDAP.

This blog post will hopefully shed some light on this while providing you with simple instructions about the way you should prepare your environment (and yourself) to those changes.

Introduction

What is LDAP Signing?

LDAP signing is the process of digitally signing an LDAP traffic.
By default, Active Directory uses an unsafe default configuration that lets LDAP clients communicate with Domain Controllers without enforcing LDAP signing, which could allow a man-in-the-middle attacker to successfully forward an authentication request a Domain Controller.

Digitally signed LDAP traffic provides:

  1. Integrity verification – Making sure that the LDAP traffic has not been altered in transit.
  2. Authenticity validation – Provide a way to verify the origin of the LDAP traffic.

LDAP signing can be configured using Group Policy, which reflected in the end by a registry key.
Pay attention that LDAP signing must be configured on both sides: Domain Controllers and domain members. More of that later.

What is LDAP Channel Binding?

LDAP channel binding refers to binding the TLS tunnel and the LDAP application layer together to create a unique fingerprint, called Channel Binding Token (CBT).
Any interception of the LDAP communications cannot be re-used as this would require establishing a new TLS tunnel which would invalidate the LDAP communication’s unique fingerprint (the CBT in other words).

By default, LDAP channel binding is disabled, which means that no channel binding validation is performed. This is the behavior of all servers that have not been configured otherwise, manually.

LDAP Channel Binding Example:

When LDAP Channel Binding is enabled, Domain Controllers compare the received CBT to the CBT contained in the client authentication information:

After installing March 10 Windows Update, LDAP Channel Binding can be configured using Group Policy as well.

Getting ready

First, relax. March 10 update (and updates in the foreseeable future) will not change LDAP signing or LDAP channel binding default policies or their registry equivalent for new or existing Active Directory Domain Controllers.

So… What does it do?

  1. Adding a Group Policy named “Domain controller: LDAP server channel binding token requirements“, which let administrators control the LDAP Channel Binding requirements.
  2. Add new event logs for Channel Binding Tokens in the Directory Service event log.

The main purpose of this update is to allow administrators to easily identify unsecured and incompatible applications by collecting LDAP signing and LDAP Channel Binding information.

Using the collected information, administrators can decide whether they are ready to enable LDAP signing and LDAP Channel Binding in their environment or not.

How to collect the relevant LDAP logs?

LDAP Signing Events

Let’s start with LDAP Signing event logs. Remember that these logs exist since Windows Server 2008, and available regardless of the March 10 Windows Update.

Event ID General Description Trigger Required Logging Level
2886 A summary event-triggered once every 24 hours and indicating that this domain controller is not aligned with Microsoft’s best practices and can be significantly improved by configuring the server to enforce validation of LDAP signing. Triggered every 24 hours, on startup or start of service if the Group Policy (Domain controller: LDAP server signing requirements) is set to None. 0 or higher
2887 A summary event-triggered once every 24 hours and indicating how many LDAP binds that do not request signing and LDAP simple binds that are performed on cleartext have occurred. Triggered every 24 hours when Group Policy (Domain controller: LDAP server signing requirements) is set to None and at least one unprotected bind was completed. 0 or higher
2888 A summary event-triggered once every 24 hours and indicating how many LDAP binds that do not request signing and LDAP simple binds that are performed on cleartext have occurred (and rejected due to the “Require Signing” option). Triggered every 24 hours when the Group Policy (Domain controller: LDAP server signing requirements) is set to Require Signing and at least one unprotected bind was rejected. 0 or higher
2889 An event triggered every time a client performs LDAP binds that do not request signing or LDAP simple binds using cleartext. The event includes the client IP address and the authentication context (like authenticated user). Triggered every time a client does not use signing for binds on sessions on port 389. 2 or higher
LDAP Signing Events

LDAP Channel Binding Tokens Events

Unlike LDAP signing events, the LDAP channel binding tokens events are new and required the installation of March 10 Windows Update in order to be available.
LDAP channel binding events include events 3039, 3040, and 3041 as described in the table below:

Event ID General Description Trigger Required Logging Level
3039 An event triggered every time a client perform an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation. Triggered every time a client attempts to bind without valid CBT when CBT Group Policy is set to When Supported or Always. 2 or higher
3040 A summary event-triggered once every 24 hours and indicating how many unprotected LDAPs binds were performed. Triggered every 24 hours when CBT Group Policy is set to Never and at least one unprotected bind was completed. 0 or higher
3041 A summary event-triggered once every 24 hours and indicating that this domain controller is not aligned with Microsoft’s best practices and can be significantly improved by configuring the server to enforce validation of LDAP channel binding tokens. Triggered every 24 hours, on startup or start of service if the CBT Group Policy is set to Never. 0 or higher
LDAP Channel Binding Tokens Events

Some notes about the LDAP Signing and LDAP Channel Binding Tokens events:

  1. All of the events are located under the “Directory Service” log.
  2. To enable event ID 2889 and 3039, the registry key “LDAP Interface Events” should be configured to the value of 2 (or higher). You can use the following command to easily modify this registry key as required:Reg Add KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2.
  3. Full documentation about LDAP signing events can be found here under Microsoft Docs.

Use Group Policy to configure LDAP Signing & LDAP Channel Binding

Configure LDAP Signing

Controlling the LDAP signing requirements using Group Policy has been around for quite a long time, regardless of the March 10 Windows Update.

  • Policy Setting: “Domain controller: LDAP server signing requirements”
  • Registry Value: LDAPServerIntegrity (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters)
  • Default Value: Not defined (which means ‘None’)

Possible options for Group Policy setting “Domain controller: LDAP server signing requirements”:

Policy Value Meaning Registry Value
None Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it. 1
Require Signing The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use. 2
Domain controller: LDAP server signing requirements Group Policy Setting

Microsoft recommends configure this policy to “Require Signing”, but this can be achieved only after eliminating any client/application which uses unsigned LDAP binds or LDAP simple binds.

Bottom line: Unless all of your clients are using LDAP signing and no LDAP signing events are shown (2887 and 2889), configure Domain controller: LDAP server signing requirements to ‘None’.

Configure LDAP Channel Binding

March 10 update is required to control the LDAP Channel Binding using Group Policy.
Before the update, administrators had the ability to enforce LDAP channel binding using the registry value ‘LdapEnforceChannelBinding’. Starting March 10 Windows Update, the Group Policy setting ‘Domain controller: LDAP server channel binding token requirements’ is available to use.

  • Policy Setting: “Domain controller: LDAP server channel binding token requirements”
  • Registry Value: LdapEnforceChannelBinding (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters)
  • Default Value: Not defined (no changes will be made)

Possible options for Group Policy setting “Domain controller: LDAP server channel binding token requirements”:

Policy Value Meaning Registry Value
Never No channel binding validation is performed. 0
When Supported Clients support Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections, while unsupported clients are not impacted. This is an intermediate option that supports application compatibility.​ 1
Always All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that do not do so.​ 2
Domain controller: LDAP server channel binding token requirements Group Policy Setting

The option “When Supported” is providing an intermediate solution that lets compatible clients work with channel binding tokens while allowing incompatible clients to continue working without channel binding tokens.

Pay attention that LDAP channel binding requires that all Windows devices (servers and clients) have CVE-2017-8563 installed.

Bottom line: Consider using “When Supported” to provide an intermediate option for all of your clients. Make sure that CVE-2017-8563 (available since 2017) is installed on any supported client to avoid issues with CBT.

Takeaways

March 10 Windows Update is adding Group Policy setting for controlling the LDAP channel binding, as well as new events logs related to LDAP channel binding. March 10 update will NOT change LDAP signing or LDAP channel binding default policies.

Recommended Actions

  1. Install March 10 Windows Update on any Domain Controller.
  2. Set LDAP Interface Events diagnostic level to 2 on any Domain Controller using:Reg Add KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2.
  3. Consider modifying Group Policy setting “Domain controller: LDAP server channel binding token requirements” as “When Supported”. Remember to check that CVE-2017-8563 is installed on any supported OS.
  4. Monitor “Directory Services” event logs on all Domain Controllers. Use event ID 3039 and 2889 to identify applications, servers, and devices which making unsigned LDAP calls or not using LDAP Channel Binding.

Additional Reading

  1. 2020 LDAP channel binding and LDAP signing requirements for Windows:
    https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows.
  2. Frequently asked questions about changes to LDAP: https://support.microsoft.com/en-us/help/4546509/frequently-asked-questions-about-changes-to-ldap.

Authors