This setting determines whether the LDAP server (Domain Controller) enforces validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS). For more information, see https://support.microsoft.com/help/4034879 . Some important points: * Before configuring this setting to "Enabled, always," all clients must have installed the security update described in CVE-2017-8563 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563).

[Never/When Supported/Always]

(1) GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters!LdapEnforceChannelBinding