Following guidance in this article I wanted to enable auditing of LDAP Channel Binding in order to find potential problematic devices, as we have plenty of third party services which use AD:
The article says “Note Events 3039, 3074, and 3075 can only be generated
when Channel Binding is set to When Supported or Always.”
The setting had been Not Defined, which is the default. The Explain tab for the setting says "Default: This policy is not defined, which has the same effect as When Supported."
It also says "When supported: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that do not advertise such support and/or do not use TLS/SSL connections are not impacted. This is an intermediate option that allows for application compatibility."
A couple of days ago I switched the setting from Not Defined to When Supported in order to start auditing the related events. This broke DUO authentication, which in turn caused VPN login to fail.
Microsoft's words around this seem pretty unambiguous, but clearly "When Supported" is not the same as "Not Defined".
Of course this was seen by management as me having made a security change without proper change control. I wouldn't argue that point, but be aware of this.
-- Charlie Sullivan
Principal Windows Systems Administrator