Desktop - macOS bind to AD

This page serves as a record of the testing done, and remaining, for eliminating the use of unsigned protocols or plaint text LDAP from macOS computers to using resources from an Active Directory domain.

References

• Microsoft
  • ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
  • 2020 LDAP channel binding and LDAP signing requirement for Windows
  • LDAP Channel Binding and LDAP Signing Requirements
• Joe Schiffman's solution guide
  • Bind Mac OS to Active Directory over SSL
• Apple
  • Configure domain access in Directory Utility on Mac

EventCode 2889

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. 

Splunk

EventCode 2889

index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"

Binding Type

index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"
| rex field=_raw "(?ms)Binding\s+Type:\s+(?<typeBind>\d)"
| table _time, host, EventCode, ClientIPAddress, typeBind