Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
During the previous 24 hour period some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate Kerberos NTLM or Digest) LDAP bind that did not request signing (integrity validation) or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server please see http://go.microsoft.com/fwlink/LinkID=87923.
Summary information on the number of these binds received within the past 24 hours is below.
You can enable additional logging to log an event each time a client makes such a bind including information on which client made the bind. To do so please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Number of simple binds performed without SSL/TLS: 31
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0
|English: Request a translation of the event description in plain English.|
See ME935834 on how to enable LDAP signing in Windows Server 2008.
According to T941856, to resolve this, you need to configure the directory to reject LDAP binds that do not require signing. See the article for additional details.
You can ignore this message if you are not concerned about LDAP clients connecting through non SSL/TLS channels. This is a rather new feature and not all the client computers have the ability to use SSL encrypted communication channels with LDAP. On the other hand, if this is a requirement for your environment, you need to identify the clients and upgrade/reconfigure them accordingly.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated