Event ID 2889

Event ID 2889

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: “Value” Identity the client attempted to authenticate as: “Value”


Disable diagnostic logging if it is no longer needed

Diagnostic logging for LDAP Interface Events was enabled. This setting is useful if you want to determine which client computers are using unsigned or simple LDAP binds. However, it has a negative effect on domain controller performance, and it should be disabled when it is no longer needed.

Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. Review details about default group memberships at http://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on the domain controller on which you want to perform diagnostic logging.

To disable diagnostic logging for LDAP Interface Events:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. menu, right-click
  2. After you have determined the client computers that are attempting to perform unsigned binds, you can disable the diagnostic logging for LDAP Interface Events by running the following command: Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 0
  3. Type Y, and then press ENTER to confirm the settings overwrite, which will disable diagnostic logging for LDAP Interface Events.

For additional information about Active Directory diagnostic logging, see article 314980 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=145021).