I am trying to secure our network bit by bit and am currently trying working on making Active Directory authentication more secure. We’ve been receiving a lot of events on our domain controllers about clients authenticating using insecure means:
Event 2887, ActiveDirectory_DomainService:
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: (1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or (2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
I did some research and was able to discover that our vCSA is one of those clients:
Event 2889, ActiveDirectory_DomainService:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
Identity the client attempted to authenticate as:
(vCSA Computer Account)
I’ve done some research and have not been able to find a way to reconfigure our vCSA to use a more secure method. Some of the other devices we have reconfigured were able to use SSL and port 636 for this, but I cannot find these settings anywhere on the vCSA or in vSphere.
The identity source is currently set up as “Active Directory (Integrated Windows Authentication)”. Do I need to change this to “Active Directory as an LDAP server” or something else?