Your company's ad could live here and reach over 50,000 people a month!

Share This Post

Windows / Windows 10 / Windows Server

Microsoft Introduces a New Registry Setting to Make LDAP Authentication More Secure

As part of its July 2017 Patch Tuesday rollout of security updates, Microsoft is providing a new registry setting to allow administrators to make LDAP authentication more secure over SSL/TLS.

The registry setting is called: LdapEnforceChannelBinding

Its located at: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/NTDS/Parameters

DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.

DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.

DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.

Associated KB article: KB4034879

Security Advisory: CVE-2017-8563


Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

IT/Dev Connections

Share This Post

Leave a Reply