Skip to content

LDAP Channel Binding and LDAP Signing #1828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

LDAP Channel Binding and LDAP Signing #1828

carlospolop wants to merge 1 commit into from
+66 −0

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Jan 29, 2026

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Title/Context (TrustedSec, Jan 29, 2026)
The post explains two distinct Active Directory (AD) hardening controls—LDAP Channel Binding and LDAP Signing—and why they matter for stopping real-world person-in-the-middle, relay/forwarding, and replay-style abuse of LDAP authentication flows (i.e., an attacker positioning between an application/system and the Domain Controller (DC) to obtain a “valid authentication ticket”). It emphasizes that many environ...

🔧 Technical Details

LDAP Channel Binding (CBT) anti-relay hardening: When LDAP binds occur over SSL/TLS (LDAPS), bind the authentication to the specific TLS tunnel by requiring Channel Binding Tokens (CBTs). Deploy by setting the DC policy “Domain controller: LDAP server channel binding token requirements” to “When Supported” first to generate audit events (e.g., 3039 plus the KB4520412 “what-if” events 3074/3075 on Server 2019/2022 DCs), then switch to “Always” to reject LDAPS binds that omit CBT data or would fail CBT validation, thereby preventing forwarded/relayed authentication across different TLS channels.

LDAP Signing integrity + relay resistance: Require clients to cryptographically sign LDAP requests so DCs reject unsigned authentication requests and detect message tampering. Implement in two places: (1) client-side GPO “Network security: LDAP client signing requirements = Require signing”, and (2) DC-side signing requirements (“Require signing” on older DC policy; on Server 2025 DCs us...

🤖 Agent Actions

Summary:

  • Added new Active Directory hardening page on LDAP Signing & Channel Binding, covering audit/enforcement steps, required patches, GPO options (including Server 2025 defaults), event IDs, and diagnostics setup.
  • Linked the new hardening guidance from the AD General Defenses section to highlight LDAP relay mitigation.

Testing:

  • Not applicable (documentation changes only).

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Jan 29, 2026

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/ldap-channel-binding-and-ldap-signing

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology (or a new subpage under AD for "LDAP Relay/MITM Mitigations: LDAP Signing & Channel Binding")".

Repository Maintenance:

  • MD Files Formatting: 945 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop