{"id":1263,"date":"2025-09-10T19:27:56","date_gmt":"2025-09-10T17:27:56","guid":{"rendered":"https:\/\/dyb.fr\/?p=1263"},"modified":"2025-09-10T19:27:56","modified_gmt":"2025-09-10T17:27:56","slug":"windows-server-2025-pourquoi-votre-ldap-ne-repond-plus","status":"publish","type":"post","link":"https:\/\/dyb.eu\/blog\/windows-server-2025-pourquoi-votre-ldap-ne-repond-plus\/","title":{"rendered":"Windows Server 2025 : pourquoi votre LDAP ne r\u00e9pond plus"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Depuis Windows Server 2019 (patch 2020), Microsoft a durci la configuration par d\u00e9faut d\u2019Active Directory :<br>les connexions <strong>LDAP simples non chiffr\u00e9es (port 389)<\/strong> sont d\u00e9sormais bloqu\u00e9es ou limit\u00e9es.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Avec Windows Server 2022 et 2025, le changement est encore plus visible :<br>les applications qui tentaient un simple bind en clair \u00e9chouent avec des erreurs du type :<br><code>can't contact LDAP server<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Pourquoi ?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">LDAP simple en clair = login + mot de passe envoy\u00e9s sans chiffrement.<br>C\u2019est <strong>dangereux<\/strong> sur un environnement de production.<br>Microsoft pousse donc tout le monde vers <strong>LDAPS<\/strong> (port 636 avec certificat) ou LDAP+StartTLS.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Solution temporaire en environnement de test<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u26a0\ufe0f <strong>\u00c0 utiliser uniquement en lab, jamais en production.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">M\u00e9thode via le registre Windows<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Ouvrez <code>regedit<\/code> sur le contr\u00f4leur de domaine.<\/li>\n\n\n\n<li>Allez dans :<br><code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters<\/code><\/li>\n\n\n\n<li>Ajoutez ou modifiez les valeurs :\n<ul class=\"wp-block-list\">\n<li><code>LDAPServerIntegrity<\/code> = <code>1<\/code> (signer si possible, mais autoriser non sign\u00e9)<\/li>\n\n\n\n<li><code>LDAPEnforceChannelBinding<\/code> = <code>0<\/code> (d\u00e9sactiver le channel binding)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Red\u00e9marrez le service Active Directory (ou le serveur).<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">M\u00e9thode via la strat\u00e9gie de groupe (GPO)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Ouvrez la console <strong>Gestion des strat\u00e9gies de groupe<\/strong> (GPMC).<\/li>\n\n\n\n<li>\u00c9ditez la GPO appliqu\u00e9e \u00e0 vos <strong>contr\u00f4leurs de domaine<\/strong> (ou cr\u00e9ez-en une d\u00e9di\u00e9e).<\/li>\n\n\n\n<li>Naviguez dans :<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>Configuration ordinateur\n   \u2192 Strat\u00e9gies\n      \u2192 Param\u00e8tres Windows\n         \u2192 Param\u00e8tres de s\u00e9curit\u00e9\n            \u2192 Strat\u00e9gies locales\n               \u2192 Options de s\u00e9curit\u00e9\n<\/code><\/pre>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>Modifiez les param\u00e8tres suivants :<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Contr\u00f4leur de domaine : conditions requises pour la signature de serveur LDAP<\/strong> \u2192 <strong>Aucun<\/strong><\/li>\n\n\n\n<li><strong>Contr\u00f4leur de domaine : application des conditions requises pour la signature de serveur LDAP<\/strong> \u2192 <strong>D\u00e9sactiv\u00e9<\/strong><\/li>\n\n\n\n<li><strong>Contr\u00f4leur de domaine : configuration requise pour le jeton de liaison du canal du serveur LDAP<\/strong> \u2192 <strong>Lorsqu\u2019il est pris en charge<\/strong><\/li>\n<\/ul>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li>Appliquez la GPO et forcez la mise \u00e0 jour des strat\u00e9gies :<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>gpupdate \/force\n<\/code><\/pre>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li>Red\u00e9marrez le service Active Directory Domain Services (ou le serveur) pour que les changements prennent effet.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"815\" src=\"https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2025\/09\/image-1024x815.png\" alt=\"\" class=\"wp-image-1264\" srcset=\"https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2025\/09\/image-1024x815.png 1024w, https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2025\/09\/image-980x780.png 980w, https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2025\/09\/image-480x382.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1024px, 100vw\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Rappel s\u00e9curit\u00e9<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u26a0\ufe0f <strong>Cette d\u00e9sactivation ne doit pas rester en place<\/strong>.<br>En clair, vos identifiants sont envoy\u00e9s sans chiffrement \u2192 exposition au sniffing r\u00e9seau et attaques de type man-in-the-middle.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">En production, la bonne pratique est de configurer <strong>LDAPS (port 636)<\/strong> avec un certificat valide sur vos DC et de forcer toutes vos applications \u00e0 s\u2019y connecter.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>En <strong>test<\/strong>, vous pouvez assouplir temporairement la politique LDAP avec une GPO ou le registre.<\/li>\n\n\n\n<li>En <strong>production<\/strong>, la seule bonne approche est : <strong>LDAPS only<\/strong>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Depuis Windows Server 2019 (patch 2020), Microsoft a durci la configuration par d\u00e9faut d\u2019Active Directory :les connexions LDAP simples non chiffr\u00e9es (port 389) sont d\u00e9sormais bloqu\u00e9es ou limit\u00e9es. Avec Windows Server 2022 et 2025, le changement est encore plus visible :les applications qui tentaient un simple bind en clair \u00e9chouent avec des erreurs du type [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1265,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[28],"class_list":["post-1263","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-adminsys","tag-windows"],"_links":{"self":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/1263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/comments?post=1263"}],"version-history":[{"count":0,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/1263\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media\/1265"}],"wp:attachment":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media?parent=1263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/categories?post=1263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/tags?post=1263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}