Channel binding is a key security measure used to prevent relay and man-in-the-middle (MITM) attacks on LDAP connections. While LDAP signing already provides an important layer of security, channel binding fills in the remaining gaps, especially in scenarios involving TLS termination. Let’s break down what this means and why both mechanisms are necessary.
Quick Recap on LDAP Signing
Here are some key points to remember about LDAP signing.
- Simple binds use usernames and passwords for authentication.
- SASL binds use integrated authentication mechanisms like NTLM and Kerberos.
- Simple binds without TLS expose credentials to the network and are vulnerable to MITM attacks.
- Simple binds over TLS are secure because TLS encrypts the session and maintains data integrity.
- SASL binds can use signing, allowing the exchange of session keys that secure communication and ensure packet integrity.
- SASL binds over TLS rely on TLS for security instead of LDAP signing.
- Enforcing LDAP signing ensures that SASL binds without signing and simple binds without TLS are rejected.
At a glance, the LDAP signing seems comprehensive. But let’s think like an attacker.
The Security Loophole
- A potential loophole exists: If an attacker can terminate the client’s TLS session and re-establish a new one on the server, they could manipulate LDAP traffic midstream. LDAP signing can't detect this because the new TLS session still satisfies the signing requirement.
- This is where channel binding steps in. It ensures that the original TLS session used by the client remains the same throughout the session by using a Channel Binding Token (CBT), made possible through Extended Protection for Authentication (EPA). Since attackers can't access the client’s credentials, they cannot generate a valid CBT in a relay scenario—effectively closing the loophole.
Important Notes
- Simple binds do not use EPA and cannot benefit from channel binding.
- Simple binds over TLS are not impacted by channel binding enforcement.
- SASL binds without TLS are also unaffected by channel binding settings.
LDAP Channel Binding Enforcement Settings
LDAP channel binding was introduced in March 2020 and is supported as far back as Windows Server 2008. It's controlled via the Group Policy setting.
Domain controller: LDAP server channel binding token requirements
This corresponds to the registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding
Policy Options
- Never: No channel binding validation is performed.
- When supported: Clients that support channel binding must provide a valid CBT. Other clients are unaffected.
- Always: All connections must present a valid CBT or be rejected, regardless of client support.
Note. This registry setting doesn’t exist until configured. Once applied, it takes effect immediately—no reboot required.
Client Support
No special configuration is required on the client side—only support for Extended Protection for Authentication (EPA), introduced in August 2009.
Auditing and Event Logs
Windows Server 2019/2022 (with updates from Nov 2023)
- Event ID 3075 (Directory Service log): Logs whenever a client fails to provide a CBT. Includes source IP and username.
- Requires LDAP Interface Events diagnostic logging set to level 2 or higher.
- Only logged when channel binding is set to Never or When supported.
- Event ID 3074: Logs rejections of EPA-enabled clients that present an invalid CBT.
![Event ID 3074]()
Windows Server 2016 and earlier.
Event ID 3039
- Logged only when the binding is set to When supported or Always.
- Requires the same diagnostic logging level.
- Only useful after enforcing settings—they do not help with preemptive monitoring.
If you’re using older domain controllers, consider enforcing channel binding on a few DCs and monitoring 3039 events as a test, before deploying across the domain.
![DCs]()
Load Balancing Considerations
Load balancing LDAP traffic can be problematic when enforcing channel binding.
- If your load balancer terminates and re-establishes TLS sessions, connections will be rejected under channel binding enforcement.
- TLS must persist end-to-end from the client to the domain controller.
- To support this,
- The load balancer FQDN must be included in the Subject Alternative Name (SAN) of the certificate used on the domain controller.
- Or, configure apps to use simple binds instead of SASL.
Best Practices: Do's and Don'ts
- Do
- Understand that channel binding only applies to SASL binds over TLS.
- Begin with “When supported” enforcement—it's a low-risk starting point.
- Use a central logging solution for monitoring event IDs 3039, 3074, and 3075.
- Plan upgrades—Server 2016 extended support ends in January 2027.
- Don't
- Assume legacy clients like Windows XP block you from enabling channel binding—they likely don't use TLS for SASL binds.
- Configure “Always” enforcement without first investigating the source of 3075 events.
- Rely on LDAP signing alone—TLS termination still poses a risk that only channel binding can mitigate.
By understanding the limitations of LDAP signing and the benefits of channel binding, you can confidently secure your environment against modern LDAP relay threats. Start with "When supported" enforcement, monitor your logs, and then gradually move toward "Always"—all while ensuring your apps and clients are compatible.