Domain controller: LDAP server signing requirements

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Domain controller: LDAP server signing requirements


This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

  • None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.

  • Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: Not defined, which has the same effect as None.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

For specific instructions about how to configure security policy settings, see Edit security settings on a Group Policy object.


  • If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.


  • This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller.

  • If signing is required, then ldap_simple_bind and ldap_simple_bind_s requests are rejected. No Microsoft LDAP clients running Windows XP Professional or the Windows Server 2003 family use ldap_simple_bind or ldap_simple_bind_s to bind to directory service.

For more information, see: