I am working with a client that is currently working on their systems that won't be able to communicate with their Domain Controllers anymore after Microsoft releases the patch(s) that require secure channel LDAP binding and signing. The information on these patches can be found at the link below.
The client is seeing messages showing that their Repository server and their 3 web servers aren't using secure LDAP to communicate with the Domain Controllers. The messages within the Windows Directory Services event logs say that "The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection."
I can see that setting up the repository to connect to LDAP within the administration console under LDAP Management, but I don't think this would do anything for this client. The client uses accounts under Windows Accounts which are all licensed from the Directory Server. Both of those services reach out to validate to the Domain Controllers, as well as their Forms servers.
Is there a way to get all of the connections from the various applications that users would authenticate with Windows credentials to use SSL/TLS for the LDAP requests they make to the Domain Controllers?
Thanks,
Cody