Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAP Interface issue in Active Directory Domain Service

651 views
Skip to first unread message

Rajiv K Khandelwal

unread,
Jul 13, 2009, 2:09:25 AM7/13/09
to
How does one address to this warning in SBS 2008?:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 7/10/2009 3:16:08 PM
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVER.domain.local
Description:
The security of this directory server can be significantly enhanced by
configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or
Digest) LDAP binds that do not request signing (integrity verification) and
LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted)
connection. Even if no clients are using such binds, configuring the server
to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple
binds over a non-SSL/TLS connection, and will stop working if this
configuration change is made. To assist in identifying these clients, if
such binds occur this directory server will log a summary event once every
24 hours indicating how many such binds occurred. You are encouraged to
configure those clients to not use such binds. Once no such events are
observed for an extended period, it is recommended that you configure the
server to reject such binds

Where exactly one has to configure the rejection of such binds in the
server?

Thanking you,

Rajiv K Khandelwal


Miles Li [MSFT]

unread,
Jul 14, 2009, 5:58:13 AM7/14/09
to

Hello,

Thank you for posting here.

According to your description, I understand that:

You receive the Event 2886 on the SBS sever.

If I have misunderstood the problem, please don't hesitate to let me know.

Explanations:
======================
As explained in the Event description, some clients attempted to perform
LDAP binds that were either:

(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not
request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext
(non-SSL/TLS-encrypted) connection


However, by default the directory service is not configured to reject such
binds. This event is only a notification for those non-secure binds. The

security of this directory server can be significantly enhanced by

configuring the server to reject such binds and LDAP signing in your SBS
2003 domain.

More related information for your reference:

How to enable LDAP signing in Windows Server 2008
http://support.microsoft.com/kb/935834

Client, service, and program incompatibilities that may occur when you
modify security settings and user rights assignments
http://support.microsoft.com/kb/823659

If you have any questions or concerns, please do not hesitate to let me
know.


Best regards,

Miles Li
Microsoft Online Newsgroup Support

==================================================================
Please post your EBS related questions to the EBS newsgroup on Connect
website:
https://connect.microsoft.com/ebs08/community/discussion/richui/default.aspx

If you want to use a newsreader other than a web forum to access these
newsgroups,
please refer to the following blog to apply NNTP password and configure a
newsreader:
http://msmvps.com/blogs/bradley/archive/2008/11/02/signing-up-for-the-sbs-20
08-newsgroups.aspx
==================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
==================================================================

Rajiv K Khandelwal

unread,
Jul 14, 2009, 7:35:16 AM7/14/09
to
Thanks for the useful post. The first part "Using Group Policy" was done
however in the second part "Using Group Policy (setting of the client LDAP
signing requirement)" there is no mention for the following:
1.. Right-click Network security: LDAP client signing requirements, and
then click Properties.
and it is greyed for the following:
1.. In the Domain controller: LDAP server signing requirements Properties
dialog box, enable Define this policy setting, click to select Require
signing in the Define this policy setting drop-down list, and then click OK.
Hence no action can be taken.

Regards,

Rajiv K Khandelwal

"Miles Li [MSFT]" <v-mi...@online.microsoft.com> wrote in message
news:tMXNbmGB...@TK2MSFTNGHUB02.phx.gbl...

Miles Li [MSFT]

unread,
Jul 15, 2009, 4:46:22 AM7/15/09
to
Hello Rajiv,

Thanks for the update.

From the description, it seems that in your SBS 2008 domain there is a
group policy that defines the "Network security: LDAP client signing
requirements" setting. The group policy settings from the domain GPOs are
compelling. This is the reason why you see the grayed out "Network
security: LDAP client signing requirements" setting.

Please check whether the setting "Network security: LDAP client signing
requirements" is set as "Require signing" in the grayed out textbox. If
yes, you may ignore this setting because the proper configuration "Require
signing" has been set through the domain GPO. If not, you may collect the
Group Policy Result on the client computer to verify which domain GPO has
defined the setting "Network security: LDAP client signing requirements".

Rajiv K Khandelwal

unread,
Jul 15, 2009, 7:44:31 AM7/15/09
to

Thanks Miles for the inputs. "Network security: LDAP client signing
requirements" was set at "Negotiate signing" which has now been changed to
"Require signing".

Rajiv K Khandelwal

"Miles Li [MSFT]" <v-mi...@online.microsoft.com> wrote in message

news:jzSQ8iSB...@TK2MSFTNGHUB02.phx.gbl...

Miles Li [MSFT]

unread,
Jul 16, 2009, 6:56:11 AM7/16/09
to

Hi Rajiv,

Thanks for the update.

After you enable the LDAP signing in the domain, does the Event 2886
disappear? Please do not hesitate to let us know if you have any further
questions.

Best regards,

Miles Li

Microsoft Online Newsgroup Support

==================================================================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect
website:
https://connect.microsoft.com/sbs08/community/discussion/richui/default.aspx

Rajiv K Khandelwal

unread,
Jul 17, 2009, 1:01:02 AM7/17/09
to
Hi Miles,

Thanks for your post. There has been no warning during the past 24 hours.

Regards,

Rajiv K Khandelwal

"Miles Li [MSFT]" <v-mi...@online.microsoft.com> wrote in message

news:975bIQgB...@TK2MSFTNGHUB02.phx.gbl...

Miles Li [MSFT]

unread,
Jul 20, 2009, 6:10:31 AM7/20/09
to

Hello,

I'm glad to hear that things are working correctly for you now. The
following is a general summary of the issue for your reference:

Issue:
==========


You receive the Event 2886 on the SBS sever.

Cause:
==========
Clients attempted to perform unsecure LDAP binds.

Resolution:
==========
Follow the KB 935834 to enable the LDAP signing in Windows Server 2008.

Please do not hesitate to post in SBS newsgroup if you need any assistance
in the future. Thanks.

0 new messages