LDAP Channel Binding and LDAP Signing

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://trustedsec.com/blog/ldap-channel-binding-and-ldap-signing
• Blog Title: LDAP Channel Binding and LDAP Signing
• Suggested Section: Windows Hardening -> Active Directory Methodology (or a new subpage under AD for "LDAP Relay/MITM Mitigations: LDAP Signing & Channel Binding")

🎯 Content Summary

Title/Context (TrustedSec, Jan 29, 2026)
The post explains two distinct Active Directory (AD) hardening controls—LDAP Channel Binding and LDAP Signing—and why they matter for stopping real-world person-in-the-middle, relay/forwarding, and replay-style abuse of LDAP authentication flows (i.e., an attacker positioning between an application/system and the Domain Controller (DC) to obtain a “valid authentication ticket”). It emphasizes that many environ...

🔧 Technical Details

LDAP Channel Binding (CBT) anti-relay hardening: When LDAP binds occur over SSL/TLS (LDAPS), bind the authentication to the specific TLS tunnel by requiring Channel Binding Tokens (CBTs). Deploy by setting the DC policy “Domain controller: LDAP server channel binding token requirements” to “When Supported” first to generate audit events (e.g., 3039 plus the KB4520412 “what-if” events 3074/3075 on Server 2019/2022 DCs), then switch to “Always” to reject LDAPS binds that omit CBT data or would fail CBT validation, thereby preventing forwarded/relayed authentication across different TLS channels.

LDAP Signing integrity + relay resistance: Require clients to cryptographically sign LDAP requests so DCs reject unsigned authentication requests and detect message tampering. Implement in two places: (1) client-side GPO “Network security: LDAP client signing requirements = Require signing”, and (2) DC-side signing requirements (“Require signing” on older DC policy; on Server 2025 DCs us...

🤖 Agent Actions

Summary:

• Added new Active Directory hardening page on LDAP Signing & Channel Binding, covering audit/enforcement steps, required patches, GPO options (including Server 2025 defaults), event IDs, and diagnostics setup.
• Linked the new hardening guidance from the AD General Defenses section to highlight LDAP relay mitigation.

Testing:

• Not applicable (documentation changes only).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/ldap-channel-binding-and-ldap-signing

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology (or a new subpage under AD for "LDAP Relay/MITM Mitigations: LDAP Signing & Channel Binding")".

Repository Maintenance:

• MD Files Formatting: 945 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0