Event ID 2886 — LDAP signing

Introduction

On a brand new install of Windows Server 2008 R2 you may notice the following warning event in the event viewer for the Active Directory Domain Services with regards to LDAP binds.

Event Details

Here are the Event Details:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 02/09/2012 14:08:11
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DC01.domain.local
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the “LDAP Interface Events” event logging category to level 2 or higher.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”Microsoft-Windows-ActiveDirectory_DomainService” Guid=”{0e8478c5-3605-4e8c-8497-1e730c959516}” EventSourceName=”NTDS General” />
<EventID Qualifiers=”32768″>2886</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=”2012-09-02T13:08:11.514452700Z” />
<EventRecordID>160</EventRecordID>
<Correlation />
<Execution ProcessID=”752″ ThreadID=”928″ />
<Channel>Directory Service</Channel>
<Computer>DC01.domain.local</Computer>
<Security UserID=”S-1-5-7″ />
</System>
<EventData>
</EventData>
</Event>

 

What this event is saying is that you can improve the security of your network by configuring the directory to reject LDAP binds that do not require signing.

Solution

Here is how to configure the directory to reject LDAP binds that do not require signing on  the DC and AD LDS servers.

Configuring domain controllers for LDAP signing

You can use a registry key or Group Policy to configure domain controllers for LDAP signing.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Perform the following procedures on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed.

To use Group Policy to configure all domain controllers to reject unsigned and simple LDAP bind requests:

1. Open the Group Policy Management Console. To open the Group Policy Management Console, click Start. In Start Search, type Group Policy Management. Right-click the Group Policy Management icon on the Start menu, and then click Run as administrator.
   
   
2. Expand the forest and domain objects until you locate the domain object for the set of domain controllers that you want to configure.
3. Expand the Domain Controllers object, right-click Default Domain Controllers Policy, and then click Edit.
   
   
4. Expand the following objects in the Group Policy Management Editor: Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then click Security Options.
5. In the right pane, double-click the Domain Controller: LDAP server signing requirements policy.
   
   
6. Ensure that the Define this policy setting check box is selected, use the selection box to set Require Signing, and then click OK.
   
   
7. Review the information in the Confirm Setting Change dialog box,and if you are sure you want to make this change, click Yes to continue.
   
   

To use a registry key to configure domain controllers to reject unsigned and simple LDAP bind requests:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

1. Open Registry Editor as an administrator on each domain controller that you want to change. To open Registry Editor as an administrator, click Start. In Start Search, type regedit. At the top of the Start menu, right-click Regedit, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then clickContinue.
   
   
2. In the registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters, in the left pane, right-clickldapserverintegrity, and then click Modify.
   
3. Type 2 for Value data to configure the server to reject simple or unsigned LDAP bind requests, and then click OK.
   
   

Configuring AD LDS servers for LDAP signing

To configure LDAP signing for an AD LDS instance, you must modify the registry on the AD LDS server.

Membership in local Administrators, or equivalent, is the minimum required to complete this procedure.

To configure an AD LDS server for LDAP signing:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

1. Open Registry Editor as an administrator. To open Registry Editor as an administrator, click Start. In Start Search, type RegEdit. At the top of the Start menu, right-click Regedit, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. Navigate to the following registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\instanceName\ whereinstanceName is the name of your AD LDS instance on which you want to change the setting.
3. Right-click the Parameters key, click New, and then click DWORD (32-bit) Value.
4. Type LDAPServerIntegrity for the name of the new value.
5. Double-click the new value, type 2 for the Value data, and then click OK.

 

If you found any of the information on this page helpful in anyway then please consider sharing this content with your favourite social network or by leaving your thoughts in the comment section. Thanks!