LDAPS protocol.

Doria 1,241 Reputation points
2021-05-14T17:22:01.443+00:00

Hi everyone!

After enabling LDAPS in the domain (DCs), should I define any GPO rules to tell the clients computers to only use LDAPS? Or is that automatic? I am asking because we are planning to block LDAP protocol traffic on the firewall between networks segments.

Hope I was clear enough.

Thanks.
Doria

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,669 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Fan Fan 15,276 Reputation points Microsoft Vendor
    2021-05-17T01:25:23.903+00:00

    Hi,

    LDAPS is automatically enabled when you install an Enterprise Root CA on a Domain Controller. If you install the AD-CS role and specify the type of setup as “Enterprise” on a DC, all DCs in the forest will automatically be configured to accept LDAPS.
    https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.asp

    If you want to secure the connection, you may consider configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Policies for your reference:

    Policy Setting: "Domain controller: LDAP server channel binding token requirements"
    Policy Setting: "Domain controller: LDAP server signing requirements"

    https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a

    Best Regards,

    0 comments No comments