5.1.2.2 Using SSL/TLS

Active Directory supports LDAP message security on an SSL/TLS-protected connection to a DC in accordance with [RFC2246].

As indicated in the previous section, Active Directory does not permit SASL-layer message confidentiality/integrity protection mechanisms to be employed on an SSL/TLS-protected LDAP connection.

Active Directory supports channel binding on SSL/TLS-protected LDAP connections, as specified in [RFC5929], [RFC5056], and [RFC4121]. Note that for LDAP connections, a DC MUST support the tls-server-endpoint type binding, as specified in [RFC5929] and [RFC5056].

Active Directory can be configured for channel binding in the following ways:

• To not use channel binding (the default).

• To use channel binding but refuse connections that do not meet channel binding requirements.

• To use channel binding and permit connections that do not meet channel binding requirements.

The mechanism to specify such configurations is implementation-defined.