How to enable directory service diagnostics/verbose log and find who was using LDAP without SSL

Microsoft will release security update in March 2020 for all supported Windows platforms that will enable LDAP channel binding and LDAP signing on Active Directory servers by default. The DC will reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. 

If we still have device and users are still using LDAP without SSL, then the authentication won’t work and impact users and business. By default, the Directory Service logs can show Warning event with ID 2887. It shows the number of simple binds performed without SSL/TLS like this:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a clear text (non-SSL/TLS-encrypted) connection

This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see

Summary information on the number of these binds received within the past 24 hours is below.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the “LDAP Interface Events” event logging category to level 2 or higher.

Number of simple binds performed without SSL/TLS: 5486 Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 419

To find out who was using LDAP without SSL, we need to enable the diagnostics log for LDAP interface Events. Run Registry Editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. Find LDAP Interface Events and edit data to 4 to enable verbose log. After let it run for a while, we can disable it by changing the data value to 0.

Then in Event Viewer -> Applications and Services Log -> Directory Service, look for Event ID 2889 logs to show Client IP address and user name.

More info: Use verbose logging to troubleshoot in Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *