How to disable LDAP and force LDAPS?

Question

_{Thursday, February 28, 2019 4:14 AM}

We are currently using LDAP.  I plan to install certificates on the specific domain controllers applications are configured to connect to and reconfigure the applications to connect over LDAPS.

What can be done to disallow unencrypted LDAP communication to any domain controller on the domain?

All replies (9)

_{Thursday, February 28, 2019 7:21 AM ✅Answered}

We are currently using LDAP.  I plan to install certificates on the specific domain controllers applications are configured to connect to and reconfigure the applications to connect over LDAPS.

What can be done to disallow unencrypted LDAP communication to any domain controller on the domain?

You force your applications to use LDAPS instead of blocking LDAP. Would you destroy the wall if you just want to change a brick at top of it? 

Active Directory depends on LDAP and if you try to modify that in a way to clock LDAP, you introduce new problems. So the anser is no.

Mahdi Tehrani | | www.mahditehrani.ir
Make sure to download my free PowerShell scripts:

• • Find computers where a user logged on, in last X days (with guide!)
  • Query members of Local Administrators group in all Domain Computers (with guide!)

---

_{Thursday, February 28, 2019 7:43 AM ✅Answered}

Hi,

Thanks for post.

According to my knowledge, we could not disable LDAP.

More information please refer to the following similar issue:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/ff0fc815-69be-4239-8a03-27cfd444d04c/use-ldaps-636-and-disable-ldap-389?forum=winserverDS

Thanks for your support and understanding.

Best Regards,

Kallen

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

---

_{Thursday, February 28, 2019 7:52 AM ✅Answered}

Hi,

You can't force LDAP from domain controller , you will break some default process which use LDAP protocol.

You should force LDAPS from client settings if you don't have network firewall between DC VLAN and application VLAN.

If the applications and the domain controllers are in a different VLAN  you can also use network firewall to block the default port for LDAP (default value 389) and allow only the port for LDAPS ( default value 636)

Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

---

_{Thursday, February 28, 2019 11:48 AM}

In short - you cannot disable LDAP - at least not without rendering your AD non-operational.

Keep in mind that the AD protects is communication in transit by relying on other encryption mechanisms - so using LDAP does not imply lack of security

If you want to enforce LDAPS to be used by your apps/users, then you need to implement this enforcement on the app/user side.

hth
Marcin

---

_{Thursday, February 28, 2019 1:48 PM}

In short - you cannot disable LDAP - at least not without rendering your AD non-operational.

Keep in mind that the AD protects is communication in transit by relying on other encryption mechanisms - so using LDAP does not imply lack of security

If you want to enforce LDAPS to be used by your apps/users, then you need to implement this enforcement on the app/user side.

hth
Marcin

This link says LDAP will send credentials across the network in plain text:

https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/

---

_{Thursday, February 28, 2019 1:56 PM}

Hi,

You can't force LDAP from domain controller , you will break some default process which use LDAP protocol.

You should force LDAPS from client settings if you don't have network firewall between DC VLAN and application VLAN.

If the applications and the domain controllers are in a different VLAN  you can also use network firewall to block the default port for LDAP (default value 389) and allow only the port for LDAPS ( default value 636)

Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

Our servers are on a different VLAN than workstations.  So, we can block port 389 traffic from going between the workstation and server VLANs. This would prevent users from using LDAP directly between their PCs and the domain controllers.

However,  the application servers are on the same VLAN as the domain controllers.

---

_{Thursday, February 28, 2019 2:52 PM}

its not supported to block 389 between client and domain controller, good luck.

that link doesnt say it WILL, it says how to identify those that are. Stop using apps that do is the answer.

---

_{Wednesday, March 6, 2019 10:01 AM}

Hi,

Was your issue resolved?

If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

If no, please reply and tell us the current situation in order to provide further help.

Best Regards,

Kallen

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

---

_{Wednesday, March 6, 2019 1:36 PM}

In short - you cannot disable LDAP - at least not without rendering your AD non-operational.

Keep in mind that the AD protects is communication in transit by relying on other encryption mechanisms - so using LDAP does not imply lack of security

If you want to enforce LDAPS to be used by your apps/users, then you need to implement this enforcement on the app/user side.

hth
Marcin

If LDAP is fully encrypted and secure, there is no need for LDAPS to exist and add more complexity.