What Is LDAP Signing Disabled?
LDAP signing disabled means an Active Directory domain controller still accepts LDAP traffic without integrity protection on the bind path that the client uses. Microsoft’s guidance is explicit: unsigned SASL LDAP binds and LDAP simple binds over a non-SSL/TLS connection should be rejected because they expose the directory service to replay and man-in-the-middle tampering, and in the case of simple binds over cleartext, they can expose credentials directly on the wire.
In practical terms, the weakness appears when teams leave the domain controller policy at a permissive setting because an old application, script, appliance, or directory integration still talks to AD with weak LDAP behavior. The directory remains available, but the trust the domain controller places in that traffic is too generous. That gap matters because LDAP is not a side channel in Active Directory. It is one of the main control planes for querying users, groups, computers, policies, and directory objects that shape privilege.
LDAP signing disabled usually shows up during a broader How to Audit Active Directory Security: Practical Checklist for Internal Teams review, but it deserves its own remediation track because the break/fix work often sits with application owners rather than with directory admins alone.
How It Works
Microsoft documents two risky patterns that LDAP signing is meant to stop on domain controllers:
- SASL LDAP binds that do not request signing
- LDAP simple binds performed on a cleartext connection instead of over SSL/TLS
When signing is required, the client and server cryptographically sign the LDAP communication so an intermediary cannot silently alter the request stream. When simple binds are still needed, Microsoft’s guidance is to protect them with SSL/TLS instead of allowing them in cleartext.
It is also important not to confuse LDAP signing with LDAP channel binding. Signing protects integrity on the LDAP session. Channel binding is a separate hardening measure for TLS-protected LDAP sessions and is tracked with a different event family and policy flow. In real environments, the two often get remediated together, but they are not the same control.
| LDAP pattern | Accepted when LDAP signing is disabled | Main risk |
|---|---|---|
| SASL bind without signing | Yes, if the DC is permissive | Replay and man-in-the-middle tampering of LDAP traffic |
| Simple bind over cleartext LDAP | Yes, if the DC is permissive | Credentials can be exposed on the network |
| Simple bind over LDAPS | Possibly still required by legacy apps | Encrypted transport, but still worth reviewing for app design |
| SASL bind with signing | Intended secure state | Integrity-protected LDAP traffic |
Microsoft also notes a recent baseline shift: Windows Server 2025 and later enable LDAP signing by default for new Active Directory deployments. That matters operationally because it confirms the control is no longer a niche hardening preference. It is becoming the default expectation for fresh AD environments.
The Attack Chain
Step 1 - Find the legacy path that still talks weak LDAP
Attackers do not need to start with a domain admin account. They start with whatever system, script host, line-of-business app, or jump box still performs weak LDAP binds against a domain controller. During internal reviews, that path is often discovered by the same work used for Active Directory Monitoring: Security Event IDs That Matter: identify which clients are still making unsigned SASL binds or cleartext simple binds and which owner still depends on them.
A typical test path looks like this:
# Example of a simple bind over cleartext LDAP
ldapsearch -x -H ldap://dc01.corp.local -D 'CORP\svc_legacyapp' -W -b 'DC=corp,DC=local' '(objectClass=user)'
If the application path still depends on cleartext simple bind, the real issue is not only the command itself. It is that the domain controller has been left permissive enough to accept it.
Step 2 - Intercept or tamper with weak LDAP traffic
Microsoft’s LDAP signing guidance explicitly calls out replay and man-in-the-middle risk on unsigned network traffic. If the bind path is not integrity-protected, an attacker with the right network position can tamper with LDAP requests or reuse authentication material in ways the environment should no longer permit.
That is why LDAP signing disabled often overlaps operationally with NTLM Relay Attacks: Hijacking Authentication in AD. The two issues are not identical, but they both reduce trust in directory-bound authentication traffic moving across the network.
Step 3 - Turn directory access into wider privilege reach
Once the attacker can trust the weak LDAP path, the next step is not always immediate domain compromise. More often, it is directory reconnaissance and privilege shaping:
- enumerate privileged groups and delegated rights
- locate sensitive service accounts and application objects
- query paths that feed later abuse of ACLs, GPOs, or stale admin exposure
That is the same logic behind Active Directory Attack Paths to Domain Admin: a directory control weakness becomes more dangerous when it helps the attacker map the shortest route to privileged objects.
Detection
The cleanest first-party detection path comes from Microsoft’s own Directory Service eventing for LDAP signing.
| Indicator | Event ID | Source | What it tells you |
|---|---|---|---|
| Domain controller is still permissive | 2886 | Directory Service log | Reminder that the server should be hardened to reject weak binds |
| Weak binds observed in last 24 hours | 2887 | Directory Service log | Summary count of unsigned SASL binds and cleartext simple binds |
| Weak binds are being rejected | 2888 | Directory Service log | Confirms enforcement is on and clients are still trying to use weak binds |
| Per-client detail for weak binds | 2889 | Directory Service log | Gives the client IP and identity used in the bind attempt |
| LDAP channel binding audit | 3039, 3040, 3041, 3074, 3075 | Directory Service log | Useful when you are hardening channel binding alongside signing |
For practical triage, start with Event 2887 to see whether the issue is still active. If it is, raise LDAP Interface Events logging so Event 2889 gives you the client IP and attempted identity. That lets you assign the issue to the actual app or system owner instead of leaving it as a generic AD finding.
# Read the key LDAP signing events on a domain controller
Get-WinEvent -LogName 'Directory Service' |
Where-Object { $_.Id -in 2886,2887,2888,2889,3039,3040,3041,3074,3075 } |
Select-Object TimeCreated, Id, LevelDisplayName, Message
During remediation, it is worth correlating these events with the operational review behind AD and Azure Compliance: NIS2, ISO 27001, CIS Controls. LDAP signing is the kind of setting that often exists in policy documents long before it is consistently enforced in production.
Remediation
💡 Quick Win: Use Event 2887 and Event 2889 first. Identify every client still relying on unsigned SASL or cleartext simple bind before forcing domain controllers to reject those binds.
A durable LDAP signing remediation usually follows this order:
- Inventory weak clients. Review Event 2887 summary data and enable more detailed LDAP Interface Events logging so Event 2889 identifies the exact source systems.
- Fix the client behavior. Update the application, driver, appliance, or script so it requests signing for SASL binds or uses SSL/TLS for simple binds.
- Require signing on domain controllers. In policy, move Domain controller: LDAP server signing requirements to Require signing.
- Review client policy. Use Network security: LDAP client signing requirements so managed Windows clients do not continue initiating weak LDAP sessions.
- Re-test dependent applications. Validate bind behavior in production-relevant paths, not only in a lab OU.
- Watch for residual attempts. After enforcement, monitor Event 2888 and 2889 to find systems that still need owner action.
# Example policy validation step on a Windows host
secedit /export /cfg C:\Temp\secpol.cfg
Select-String -Path C:\Temp\secpol.cfg -Pattern 'LDAP'
The operational trap is forcing the setting without owner coordination. LDAP signing is absolutely worth enforcing, but the safest path is to inventory and migrate dependencies first. That is especially true when the same environment still has GPO Misconfigurations: How Group Policy Becomes an Attack Vector or weak password hygiene that can complicate change control.
Validate Before You Close the Finding
The final check should prove more than “the policy was changed.” Re-run the same test path that identified the weak client in the first place, confirm the bind now uses signing or LDAPS as intended, and verify that the application owner signed off the production workflow. That validation step matters because LDAP signing defects often survive through exceptions, forgotten service accounts, or old appliances that were never tested after the GPO was updated.
If your environment also shows relay exposure on nearby services, document that explicitly. In many internal reviews, the same system that still talks weak LDAP also surfaces broader network trust issues tied to NTLM_RELAY_OPPORTUNITY. Capturing that relationship gives remediation teams a stronger reason to clean up the dependency instead of requesting another long-lived exception.
How EtcSec Detects This
EtcSec links this issue directly to LDAP_SIGNING_DISABLED, and it often makes sense to review it alongside NTLM_RELAY_OPPORTUNITY when weak directory traffic and relay-friendly network paths appear together. In practice, the useful output is not just “setting is weak.” It is whether the domain controller policy remains permissive, whether weak clients are still active, and whether the remediation owner sits with AD engineering or with an application team.
ℹ️ Note: EtcSec automatically checks for LDAP signing weaknesses during every Active Directory audit. That helps separate a clean policy statement from a control that is actually enforced on live domain controllers.
Official References
- Microsoft Learn: LDAP signing for Active Directory Domain Services on Windows Server
- Microsoft Learn: Manage LDAP signing using Group Policy for Active Directory Domain Service
- Microsoft Learn: How to enable LDAP signing in Windows Server
- Microsoft Support KB4520412: LDAP channel binding and LDAP signing requirements for Windows
Related Reading
If you are remediating LDAP signing, review it alongside NTLM Relay Attacks: Hijacking Authentication in AD, Active Directory Monitoring: Security Event IDs That Matter, Active Directory Attack Paths to Domain Admin, GPO Misconfigurations: How Group Policy Becomes an Attack Vector, and Active Directory Password Security: Misconfigurations That Matter. LDAP hardening is strongest when network trust, directory trust, and privilege paths are reviewed together.
