Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)

Vinodh Kumar Sivaji 1 Reputation point
2024-09-19T03:50:36.2566667+00:00

I am working on vulnerability issues related to the Domain Controller. The LDAP server channel binding token requirements were set to 'Always' (DC Only).

To analyze the issue, I changed the setting to 'When Supported' instead of 'Always'. Additionally, I enabled the following settings to generate more logs for auditing.

Via GPO:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements – Set to 'When Supported'

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Restrict NTLM: Audit Incoming NTLM Traffic – Set to 'Enable auditing for all accounts'

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers – Set to 'Audit all'

Manually set the following registry settings and rebooted the server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

  • Value Name: LogLevel
  • Value Type: REG_DWORD
    • Value: 1

However, none of the expected events (3039, 3040, 3041, 2886, 2887, 2888, 2889) are being generated.

Kindly advise. Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,643 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 12,180 Reputation points Microsoft Vendor
    2024-09-20T05:51:50.2366667+00:00

    Hello

    Thank you for posting in Q&A forum.

    For enable event 3039 3040 3041 2886 2887 2888 2889, if policy has been set, you can check if registry value at client side is correct as below link shows:

    The mapping between LDAP Signing Policy settings and registry settings are included as follows:

    • Policy Setting: "Domain controller: LDAP server signing requirements"
    • Registry Setting: LDAPServerIntegrity
    • DataType: DWORD
    • Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

    The mapping between LDAP Channel Binding Policy settings and registry settings are included as follows:

    • Policy Setting: "Domain controller: LDAP server channel binding token requirements"
    • Registry Setting: LdapEnforceChannelBinding
    • DataType: DWORD
    • Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters  

    2020, 2023, and 2024 LDAP channel binding and LDAP signing requirements for Windows (KB4520412) - Microsoft Support

    Best regards

    Yanhong

    =====================================

    If the answer is helpful, please click "Accept answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.