locked
ldapserverintegrity resets from 2 to 1 - Solved RRS feed

  • Question

  • In response to Event ID 2886 (The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection), I changed the ldapserverintegrity value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters from 1 to 2.

    However, it keeps getting reset back to 1.

    I also tried making this change via Group Policy (in Default Domain Policy, Domain controller: LDAP server signing requirements, define it, and require signing).

    Same result: it keeps getting reset back to 1.

    Any suggestions as to how to prevent this?

    Thanks.
    • Edited by sejong Friday, May 29, 2009 3:44 PM
    Thursday, May 28, 2009 2:21 AM

Answers

  • I solved this by changing the following setting in Default Domain Controllers Policy (as opposed to Default Domain Policy)

    Security Options > Domain controller: LDAP server signing requirements; make sure this policy setting is Defined, and change it from None to Require Signing

    I figured this out by checking the Last Write Time on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    registry key, and then using Event Viewer, looking for an event with the same or similar time.  I found that the Last Write Time corresponded with an instance of Event ID 1074 in the Application log (Security policy in the Group policy objects has been applied successfully).  That showed that application of Group Policy was the source of the change.

    To get the Last Write Time of a registry key, export it as a txt file (reference: http://www.winhelponline.com/articles/12/1/Determining-the-Last-Write-Time-of-a-registry-key.html)
    • Marked as answer by sejong Friday, May 29, 2009 3:57 PM
    Friday, May 29, 2009 3:57 PM

All replies

  • hi there,

    i hope you are using the below article to configure the setting.

    http://support.microsoft.com/kb/935834

    if so on to which instance are you trying to create the key ?
    sainath windows driver development.
    Thursday, May 28, 2009 5:25 PM
    Moderator
  • Sainath--

    Yes, I used KB935834 that you cited.

    I changed the ldapserverintegrity value in the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

    I am not using Active Directory Lightweight Directory Services (AD LDS) so the question about which instance does not seem to apply.

    Edit 2009-05-28 1750 UTC: I noticed that in the Local Security Policy of the Windows 7 computers in this domain, Network security: LDAP client signing requirements is set to Negotiate Signing.  Does this have to be set to Require Signing?  In other words is Require Signing needed on both the domain controller and the domain client?
    Thursday, May 28, 2009 5:41 PM
  • I solved this by changing the following setting in Default Domain Controllers Policy (as opposed to Default Domain Policy)

    Security Options > Domain controller: LDAP server signing requirements; make sure this policy setting is Defined, and change it from None to Require Signing

    I figured this out by checking the Last Write Time on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    registry key, and then using Event Viewer, looking for an event with the same or similar time.  I found that the Last Write Time corresponded with an instance of Event ID 1074 in the Application log (Security policy in the Group policy objects has been applied successfully).  That showed that application of Group Policy was the source of the change.

    To get the Last Write Time of a registry key, export it as a txt file (reference: http://www.winhelponline.com/articles/12/1/Determining-the-Last-Write-Time-of-a-registry-key.html)
    • Marked as answer by sejong Friday, May 29, 2009 3:57 PM
    Friday, May 29, 2009 3:57 PM