Edit

Share via

Manage LDAP signing using Group Policy for Active Directory Domain Service

Configuring your domain controllers to require LDAP signing significantly improves the security of your Active Directory environment by rejecting unsigned LDAP binds. This article shows you how to configure LDAP server signing requirements using Group Policy and how to identify clients that need to be updated before enforcing this security requirement.

Unsigned network traffic is susceptible to replay attacks where an intruder intercepts authentication attempts and reuses credentials to impersonate legitimate users. Additionally, unsigned traffic is vulnerable to man-in-the-middle attacks where attackers can modify LDAP requests in transit. Requiring LDAP signing provides integrity verification that prevents these attack vectors.

Note

Windows Server 2025 and later versions enable LDAP signing by default for new Active Directory deployments. If you're upgrading from earlier versions, existing policies are preserved to prevent disruption. For more information about default security behavior and version differences, see LDAP signing for Active Directory Domain Services.

Prerequisites

  • An account with Domain administrator privileges or equivalent
  • Access to a domain controller or a computer with Active Directory Domain Services (AD DS) Remote Server Administration Tools (RSAT) installed
  • Group Policy Management Console installed

Identify clients using unsigned LDAP binds

Before you require LDAP signing, identify which clients in your environment are currently making unsigned LDAP binds. Active Directory logs summary events to help you discover these clients without disrupting service.

By default, domain controllers log Event ID 2887 once every 24 hours when unsigned binds occur. This event provides summary information about the number of unsigned simple binds and unsigned SASL binds detected.

To get detailed information about specific clients making unsigned binds:

  1. Open Event Viewer on the domain controller.
  2. Go to Applications and Services Logs > Directory Service.
  3. Look for Event ID 2887 to see summary information about unsigned binds.

To enable detailed logging that identifies specific client IP addresses:

  1. Open Registry Editor on the domain controller.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
  3. Set the 16 LDAP Interface Events value to 2 (Basic logging).
  4. Monitor for Event ID 2889, which logs each unsigned bind attempt including the client IP address and identity.

After you identify all clients that need updates, configure them to request LDAP signing before you enforce signing requirements on your domain controllers.

Configure LDAP signing requirements

Configure LDAP signing on both domain controllers and client computers to ensure secure LDAP communications across your environment.

Client computers

You need to configure client computers to request LDAP signing when they communicate with domain controllers. You can set this up by using local policy on individual computers or through a domain Group Policy Object for enterprise-wide deployment. To prevent service disruptions, configure clients before you enforce signing on domain controllers. You can verify client compliance by repeating the steps in the previous Identify clients using unsigned LDAP binds section to check for unsigned bind attempts.

To configure LDAP signing on client computers using Group Policy:

  1. Open Microsoft Management Console by selecting Start > Run, typing mmc.exe, and selecting OK.
  2. Select File > Add/Remove Snap-in.
  3. Select Group Policy Object Editor, and then select Add.
  4. Select Browse, and then select Default Domain Policy or your preferred Group Policy Object.
  5. Select OK, and then select Finish.
  6. Select Close, and then select OK.
  7. Navigate to Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  8. Right-click Network security: LDAP client signing requirements, and select Properties.
  9. Select one of the following options:
    • None: Client doesn't request signing (not recommended)
    • Negotiate signing: Client requests signing if server supports it (recommended for gradual deployment)
    • Require signing: Client requires signing for all LDAP traffic (recommended for maximum security)
  10. Select OK.
  11. Select Yes in the confirmation dialog.

After you configure this setting, client computers request LDAP signing based on the selected policy. The policy takes effect at the next Group Policy refresh or can be applied immediately by using gpupdate /force.

Domain controllers

Domain controllers check the server LDAP signing requirement to decide if they accept unsigned LDAP binds. You usually set this requirement through the Default Domain Controllers Policy. Select the operating system version that matches your domain controllers to see the appropriate configuration steps.

Starting with Windows Server 2025, all new Active Directory deployments require LDAP signing by default. This default is configured through the Domain controller: LDAP server signing requirements enforcement Group Policy setting, which is separate from the Domain controller: LDAP server signing requirements policy.

The Domain controller: LDAP server signing requirements enforcement policy takes precedence over and overrides the Domain controller: LDAP server signing requirements policy. When both policies are configured, the enforcement policy setting is applied. This configuration ensures that new deployments automatically have stronger security defaults while allowing administrators to explicitly modify the behavior if needed.

To configure LDAP signing enforcement on Windows Server 2025:

  1. Open Microsoft Management Console by selecting Start > Run, typing mmc.exe, and selecting OK.
  2. Select File > Add/Remove Snap-in.
  3. Select Group Policy Management Editor, and then select Add.
  4. Select Browse next to Group Policy Object.
  5. In the Browse for a Group Policy Object dialog, select Default Domain Controllers Policy under your domain, and then select OK.
  6. Select Finish, and then select OK.
  7. Go to Default Domain Controllers Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  8. Right-click Domain controller: LDAP server signing requirements enforcement, and select Properties.
  9. Turn on Define this policy setting, and choose one of the following options:
    • Default: Not Configured which has the same effect as Enabled (default for new deployments).
    • Enabled: LDAP signing will be enforced regardless of what is set in the LDAP signing policy.
    • Disabled: The setting from the LDAP Signing Policy will be used.
  10. Select OK.
  11. Select Yes in the confirmation dialog.

Important

If you're upgrading from an earlier version of Windows Server to Windows Server 2025, existing LDAP signing policies are preserved to prevent disruption. Review your current policy settings and update them as appropriate for your security requirements.

Group Policy applies this setting during the next policy refresh cycle. To apply it immediately, run gpupdate /force on your domain controllers. When set to Require signing, domain controllers reject LDAP simple binds over non-SSL/TLS connections and SASL binds that don't request signing.

Configure LDAP signing for Active Directory Lightweight Directory Services

For Active Directory Lightweight Directory Services (AD LDS) instances, configure LDAP signing through a registry setting instead of Group Policy. By using this method, you can set signing requirements independently for each AD LDS instance.

To configure LDAP signing for an AD LDS instance:

  1. Open Registry Editor on the server hosting the AD LDS instance.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<InstanceName>\Parameters.
  3. Create a new DWORD (32-bit) Value named LDAPServerIntegrity.
  4. Set the value to 2 to enable signing requirements.
  5. Close Registry Editor.

The setting takes effect immediately without needing a restart. The LDAPServerIntegrity value accepts the following values:

  • 0: Signing is disabled (default)
  • 2: Signing is required

Verify LDAP signing configuration

After you configure LDAP signing requirements, verify that the configuration works as expected. You can test this verification by attempting an unsigned LDAP bind. If signing is properly configured, the domain controller rejects the bind.

To verify LDAP signing is enforced:

  1. On a computer with AD DS Admin Tools installed, open LDP.exe by selecting Start > Run, typing ldp.exe, and selecting OK.
  2. Select Connection > Connect.
  3. Type your domain controller name in Server and 389 in Port, and then select OK.
  4. After the connection is established, select Connection > Bind.
  5. Under Bind type, select Simple bind.
  6. Enter credentials and select OK.

If LDAP signing is properly enforced, you receive an error message: "Ldap_simple_bind_s() failed: Strong Authentication Required." This error confirms that the domain controller rejects unsigned LDAP binds.

For production validation, monitor Event Viewer for Event ID 2888. This event logs a summary every 24 hours showing how many unsigned binds attempts the domain controller rejected.

  • Last updated on