LDAP signing set to 'Require Signing' on Endpoints (including Servers) & none on Domain Controllers

Question

LDAP signing set to 'Require Signing' on Endpoints (including Servers) & none on Domain Controllers

HM 66

Background Information:

We are in the process of enabling LDAP signing within our domain.

Phase 1: We updated the Group Policy on client machines to 'Negotiate Signing' and enabled auditing on Domain Controllers. The 2889 event ID in Directory Services identified few legacy appliances and applications that cannot support LDAP signing.

To address this, we decided to redirect such legacy systems to a specific Domain Controller (e.g., DC10). Currently, the LDAP signing policy on all Domain Controllers is set to 'None.'

Phase 2: We plan to enable LDAP signing as 'Require Signing' on all Domain Controllers except DC10.

Phase 3: We intend to enforce LDAP signing as 'Require Signing' on all client machines (including servers).

Question:

Given that we will not enable the LDAP signing group policy on DC10 (keeping it set to 'None'), will client machines configured to require LDAP signing face any authentication issues when attempting to authenticate via DC10 after Phase 3? Or will it still function correctly, even though DC10 does not mandate LDAP signing?

Accepted answer

0 additional answers

Your answer

Answer 1

Marcin Policht 50,335 MVP Volunteer Moderator

Yep - AFAIK, client machines configured to require LDAP signing in Phase 3 will face authentication issues when attempting to authenticate via DC10, which is configured with the LDAP signing policy set to 'None'.

When the "Require Signing" policy is enforced on client machines, they will only perform LDAP operations with servers that support and enforce LDAP signing. This is a client-side requirement that ensures all LDAP traffic is signed and prevents it from communicating with servers that do not support signing.

By keeping LDAP signing set to "None" on DC10, it indicates that this Domain Controller will not enforce or negotiate LDAP signing. Effectively:

A client requiring LDAP signing will refuse to communicate with a server that does not support it, resulting in a failed connection attempt.
Clients attempting LDAP operations with DC10 will fail as DC10 cannot negotiate or enforce the required signing.

To avoid these issues: Option 1: Isolate legacy systems further:

Ensure only legacy systems interact with DC10. Use network segmentation, firewall rules, or host-based policies to restrict access to DC10 solely for those legacy systems that do not support LDAP signing.

Option 2: Add exceptions for legacy systems:

Implement policies that enforce LDAP signing for all Domain Controllers except DC10. However, ensure that client machines (servers or applications) interacting with DC10 are excluded from the "Require Signing" policy.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

HM 66 Reputation points

2024-12-10T19:43:29.9466667+00:00

Thank you Marcin, this is what I was worried about , thank you for the details
HM 66 Reputation points

2024-12-10T19:44:46.3133333+00:00

Thank you
Marcin Policht 50,335 Reputation points MVP Volunteer Moderator

2024-12-10T19:52:54.98+00:00

You're very welcome

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
HM 66 Reputation points

2024-12-10T20:26:20.4466667+00:00

Hi Marcin, I took a test machine (win10) and changed the below reg value to 2 :-

HKLM\SYSTEM\CurrentControlSet\Services\ldap\ ldapclientintegrity - 2 (Signing Required) .

Restarted the machine and it authenticated against DC1 on which LDAP signing is still set to 'None'. It can access all the resources in the network including printers, Sysvol shares etc. Does that mean, we might be ok if we set the value on clients but not on Domain controllers ?
Marcin Policht 50,335 Reputation points MVP Volunteer Moderator

2024-12-10T20:58:45.1133333+00:00
When you configure ldapclientintegrity to 2 (Signing Required), the client machine will attempt to negotiate signing for LDAP communications. If the Domain Controller does not enforce signing, the client will not downgrade the connection and the LDAP bind request requiring signing will fail.

Windows authentication mechanisms (like Kerberos and NTLM) and resource access (e.g., file shares like Sysvol or printers) do not inherently require LDAP signing. These use other protocols that are independent of LDAP signing policies.

So as far as I can tell, your test machine successfully authenticated and accessed network resources because:

The test didn't involve an LDAP operation requiring signing.

Authentication to the domain (e.g., Kerberos ticket issuance) and accessing shared resources do not rely on signed LDAP binds.

If an application or service explicitly requires LDAP communication (e.g., directory queries or LDAP binds) and the Domain Controller does not support signing, I'd expect the operation to fail.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
HM 66 Reputation points

2024-12-10T22:04:12.73+00:00
Thanks Marcin, valid point. As a test I performed below , let me know what you think :-

On my test machine Host1 , I changed the reg value to 2 HKLM\SYSTEM\CurrentControlSet\Services\ldap\ ldapclientintegrity - 2 (Signing Required)

Connected to DC1 (DC1 is Still on LDAPSigning 'None') using ldp.exe and able to connect & bind it with my credentials and browse the tree

Another test, Used ADExplorer.exe (sysinternals) and able to connect and browse both DC1 (LDAPSigning = None) & DC10 (LDAPSigning = Require Signing)
Marcin Policht 50,335 Reputation points MVP Volunteer Moderator

2024-12-10T22:14:05.1466667+00:00

Interesting...

As far as I can tell, this would indicate that in some scenarios, clients may not strictly enforce signing if the server does not support it, particularly for non-sensitive operations or due to tool-specific behavior. This might not represent the strict enforcement expected under all conditions - but it might be sufficient to support your specific use cases.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
HM 66 Reputation points

2024-12-10T22:24:51.59+00:00

fair enough, I really appreciate all your help and support. Thank you.
HM 66 Reputation points

2024-12-10T22:55:58.15+00:00

Thank you for all your help
Marcin Policht 50,335 Reputation points MVP Volunteer Moderator

2024-12-10T23:14:52.3566667+00:00

You're very welcome

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

LDAP signing set to 'Require Signing' on Endpoints (including Servers) & none on Domain Controllers

0 additional answers

Your answer