When connecting with Active Directory over LDAPS, clients can provide channel binding information to the server. Active Directory can enforce channel binding for LDAPS connections. However, if Active Directory always requires channel binding information from clients, WSTEP enrollments with Certificate Enrollment Gateway can fail. Active Directory provides the registry setting LdapEnforceChannelBinding that controls whether channel binding information is required from clients. For more information about this registry setting, see the Microsoft documentation.
To configure channel binding enforcement to Active Directory
- Log into Active Directory as a member of the Domain Admins group.
- Open the Windows registry:
- Select Start > Windows System > Run,
The Run dialog box appears. - Enter
regedit. - Click OK.
- Select Start > Windows System > Run,
In the tree view, navigate to the following location:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters- Add the registry setting LdapEnforceChannelBinding if it does not exist:
- Select Edit > New > DWORD (32-bit) Value.
- Enter
LdapEnforceChannelBinding.
- Select Edit > New > DWORD (32-bit) Value.
- Select LdapEnforceChannelBinding, and then select Edit > Modify.
An DWORD (32-bit) Value dialog box appears.
- In the Value data field, enter one of the following values:
- 0 to disable channel binding validation, if supported. Clients that support channel binding tokens must provide channel binding information to the server.
- (Recommended.) 1 to enable channel binding when supported.
- 2 to always enable channel binding validation. All clients must provide channel binding information. Active Directory will reject requests from clients that do not provide channel binding information.
- Click OK.