LDAP throws Event ID 2887 warnings even after enabling "require signing"
For LDS, the GPO might not work, as it targets domain controllers and not lightweight directory services (LDS/ADAM).
Try out the following registry keys on one of your LDS servers:
HKLM\SYSTEM\CurrentControlSet\Services\LDSInstanceName\Parameters\LDAPServerIntegrity = DWORD (0x2)
HKLM\SYSTEM\CurrentControlSet\Services\ldap\Parameters\ldapclientintegrity = DWORD (0x2)
If this works as expected (you may have to restart your LDS instance), you can create a GPO with these registry keys in them.
If you're wondering where the client connections are coming from which aren't signed, you could try enabling the LDAP interface diagnostic logging by setting the registry key HKLM\SYSTEM\CurrentControlSet\services\ALDSInstanceName\Diagnostics\16 LDAP Interface Events = DWORD (0x1), or up to 0x5
Related videos on Youtube
07 : 25
![How to Enable LDAP Signing in Windows Server and Client Machines [Tutorial]](https://i.ytimg.com/vi/Y7RYbW1Tpsk/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLC_8rUWkKXUumpTYmoTfU7D4VWMpA)
03 : 03
04 : 28
05 : 07
06 : 22
user1301428
Updated on September 18, 2022Comments
-
user1301428 over 1 year
I am running an AD LDS directory and, ever since configuring it, I have been seeing 2887 warning messages, so I have decided to follow this guide to have the server require LDAP signing.
The problem is that I get those annoying warnings even if "Require signing" is enabled, both for the server and for the clients. This is the content of the warning message:
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
Now, even if everything is setup correctly, what should I do to stop receiving those warnings, besides ignoring them?
-
Adam Thompson about 10 yearsDid you set the requirements on the server by GPO, or direct changes to the registry? If GPO, does gpresult show that the policy is being applied? And if not, are the registry keys set the way you would expect them to be? And did you try the steps under "How to verify configuration changes"?
-
user1301428 about 10 years@AdamThompson I did everything by GPO, and I have realized that gpresult says that the policy has not been applied because it was filtered out due to being empty. The registry keys look ok though, but the verification steps fail...
-
user1301428 about 10 years@AdamThompson Do you know how I can force the policy to be applied?
-
user1301428 about 10 years@AdamThompson Yep, I confirm that
-
Adam Thompson about 10 yearsYou could try a gpupdate /force. If the settings need a reboot to take effect, you could run gpupdate /force /boot - which will cause the server to reboot if needed.
-
user1301428 about 10 years@AdamThompson Unfortunately I have tried both of these things to no avail. I am starting to have the feeling that the policy might not be linked to the computer correctly
-
Adam Thompson about 10 yearsI just picked up on the bit where you mentioned it was LDS. So, that GPO might not actually help you. I don't have an LDS machine to test against. You need the keys: HKLM\SYSTEM\CurrentControlSet\Services\<LDSInstanceName>\Parameters\LDAPServerIntegrity = DWORD (0x2) HKLM\SYSTEM\CurrentControlSet\Services\ldap\Parameters\ldapclientintegrity = DWORD (0x2) You may have to restart LDS or reboot for the change to take effect.
-
