ad-assurance - [AD-Assurance] Unencrypted LDAP to Active Directory
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Brett Bieber <>
- To:
- Subject: [AD-Assurance] Unencrypted LDAP to Active Directory
- Date: Mon, 23 Mar 2015 21:10:41 +0000
Have any of you been able to eradicate unencrypted LDAP for credentials?
We've tackled NTLMv1, and the next obstacle was unencrypted LDAP. My expectations were slightly different than the result we've seen.
We've spent a significant amount of time tracking down all the devices triggering Event Code 2889 on our Domain Controllers, and eliminating as many as we could before flipping the switch.
This morning, we deployed the change to require "LDAP Signing" as Microsoft calls it, described on this page:
Active Directory continues to permit traffic on port 389 to the domain controller. I had some expectation that this would continue for LDAP ping, StartTLS clients etc. What I didn't expect, is that the Domain Controller would still permit an unencrypted BIND and send a different message depending on if the credentials were valid or not.
Over an unencrypted connection, attempting to BIND to AD with invalid credentials yields the following message:
"AcceptSecurityContext error, data 52e, v1db1"
A valid credential yields:
"The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1"
...and, we continue to see Event Code 2889 logged by the Domain Controllers for those unencrypted BINDs with valid credentials.
Some clients apparently try an unencrypted LDAP BIND, and upon failure, try something more secure.
I had originally thought by requiring "LDAP Signing" on AD, I would have eliminated any need to monitor for these types of events and could check off many concerns related to the following IAP items:
4.2.5.2 Resist Eavesdropper Attack
4.2.5.3 Secure Communication
4.2.5.6 Mitigate Risk of Credential Compromise
4.2.8.2 Network Security (Silver)
Now that we know these events can continue to occur, what is my responsibility as a good InCommon Assurance citizen?
Must everyone running Active Directory monitor for these types of events, and revoke Bronze/Silver Assurance for those credentials when such an event is logged?
Any wisdom would be appreciated.
-Brett
- [AD-Assurance] Unencrypted LDAP to Active Directory, Brett Bieber, 03/23/2015
- RE: [AD-Assurance] Unencrypted LDAP to Active Directory, Brian Arkills, 03/23/2015
- Message not available
- Re: [AD-Assurance] Unencrypted LDAP to Active Directory, Brett Bieber, 03/23/2015
Archive powered by MHonArc 2.6.16.