Share via

LDAPS protocol.

Doria 1,246 Reputation points
2021-05-14T17:22:01.443+00:00

Hi everyone!

After enabling LDAPS in the domain (DCs), should I define any GPO rules to tell the clients computers to only use LDAPS? Or is that automatic? I am asking because we are planning to block LDAP protocol traffic on the firewall between networks segments.

Hope I was clear enough.

Thanks.
Doria

Windows for business | Windows Server | User experience | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-05-17T01:25:23.903+00:00

    Hi,

    LDAPS is automatically enabled when you install an Enterprise Root CA on a Domain Controller. If you install the AD-CS role and specify the type of setup as “Enterprise” on a DC, all DCs in the forest will automatically be configured to accept LDAPS.
    https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.asp

    If you want to secure the connection, you may consider configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Policies for your reference:

    Policy Setting: "Domain controller: LDAP server channel binding token requirements"
    Policy Setting: "Domain controller: LDAP server signing requirements"

    https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a

    Best Regards,

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.