Content Comparison

...

• Microsoft
  • ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
  • 2020 LDAP channel binding and LDAP signing requirement for Windows
  • LDAP Channel Binding and LDAP Signing Requirements
  • An update is available that changes client bind type information in Event ID 2889 in Windows Server 2008 R2
• Joe Schiffman's solution guide
  • Bind Mac OS to Active Directory over SSL (UCI only)
• Apple
  • Configure domain access in Directory Utility on Mac

...

...

Client: LDAP search for base properties of the directory.
Server: Result indicating that it support SASL GSSAPI bind.
Client: SASL bindRequest of type GSSAPI, on port 389.
Server: saslBindInProgress using GSS-API and specifying encryption type.
Client: SASL bindRequest of type GSSAPI, sending from port 88 (Kerberos).
Server: saslBindInProgress using GSS-API and hashes.
Client: SASL bindRequest of type GSSAPI, declaring credential hash.
Server: Bind success.

Appendix: Raw text from Fall 2019 testing

...

Splunk: index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"   ATL-MBP-018   Which Airwatch OU? — macOS  standard supported policies   AD record?  NOPE  reassign profile  YEP   EventCode="2889"   events as “AD\oidadder” during machine bind events as “AD\atl-mbp-018$” thereafter, periodically with login events too   create “atlauren” Andrew Fake logout login as “atlauren” local account  -> events as machine account login to EC  events as “ad\atlauren” EC reconnect  events as “ad\atlauren” machine events on logout events from machine and user on login/EC   ** move to Airwatch OU Experimental ** AD/Certificate profile lands new events for rebinding as oitadder, machine record in New Computers OU *is a complete rebind* move to OU   EC reconnect  no events logout  no events reboot  events as machine record login atlauren  event as atlauren EC reconnect  event as atlauren

Appendix: DNS notes

Be sure and use AD's DNS servers: 128.200.236.195, 128.195.143.166