Event ID 2889 — LDAP signing

Updated: November 25, 2009

Applies To: Windows Server 2008

yellow

To enhance the security of directory servers, you can configure both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to require signed Lightweight Directory Access Protocol (LDAP) binds.

Unsigned network traffic is susceptible to replay attacks, in which an intruder intercepts an authentication attempt and the issue of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. In addition, unsigned network traffic is susceptible to man-in-the-middle attacks, in which an intruder captures packets between the client computer and the server, modifies the packets, and then forwards them to the server. When this behavior occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

Consider enhancing the security of your domain controllers by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.

Event Details

Product: Windows Operating System
ID: 2889
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_UNSIGNED_CLIENT_DETAILS
Message: The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: "Value" Identity the client attempted to authenticate as: "Value"

Resolve

Disable diagnostic logging if it is no longer needed

Diagnostic logging for LDAP Interface Events was enabled. This setting is useful if you want to determine which client computers are using unsigned or simple LDAP binds. However, it has a negative effect on domain controller performance, and it should be disabled when it is no longer needed.

Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. Review details about default group memberships at http://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on the domain controller on which you want to perform diagnostic logging.

To disable diagnostic logging for LDAP Interface Events:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. After you have determined the client computers that are attempting to perform unsigned binds, you can disable the diagnostic logging for LDAP Interface Events by running the following command: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0 
  3. Type Y, and then press ENTER to confirm the settings overwrite, which will disable diagnostic logging for LDAP Interface Events.

For additional information about Active Directory diagnostic logging, see article 314980 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=145021).

Verify

Membership in Domain Users, or equivalent, is the minimum required to perform the following procedure. Review details about default group memberships at http://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/?linkid=144909).

To verify that the directory is configured to reject simple LDAP connections:

  1. Open Ldp. To open Ldp, click Start. In Start Search, type ldp. Right-click the Ldp icon on the Start menu, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Click the Ldp Connection menu, and then click Connect. In Server, type the host name of the server to which you want to connect. Ensure that Port is set to 389 and that the Connectionless and SSL check boxes are cleared, and then click OK.
  3. Click the Connection menu, and then click Bind.
  4. In the Bind dialog box, click Simple bind
  5. In User, type domainname\username, where domainname is the actual name of the domain and username is the name of the account that you are using. Enter your password in the Password box, and then click OK.

If the command output in the results pane displays an error message that reads "Ldap_simple_bind_s() failed: Strong Authentication Required" or "Error 0x2028: A more secure authentication method is required for this server," the domain controller is configured to reject simple LDAP binds. However, if the command output reads "Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'," the directory is allowing simple LDAP binds.

When client computers make or attempt to make unsigned or simple connections to the directory, Event ID 2887 from source Microsoft-Windows-ActiveDirectory_DomainService is logged to the Directory Service log on the domain controller. If you do not see that event in the Directory Service log, client computers are not attempting to make unsigned or simple LDAP connections to the domain controller.

Related Management Information

LDAP signing

Active Directory

Community Additions

ADD
Show: