Active Directory Domain Authentication With Windows Server 2025 - ZRFE-1978

[L. Mark Stone]

Several of my professional services customers who have configured their corporate domains in Zimbra to do Active Directory authentication have observed AD authentication stops working when they have upgraded their domain controllers and their domain's functional level to Windows Server 2025.

This is because of a GPO in WIndows Server 2025 "Domain Controller: LDAP server signing requirements Enforcement" that is turned on.

Zimbra, as a Windows LDAP client, currently does not do data signing, where such data signing adds a cryptographic signature to each LDAP message using shared session keys. Allegedly, Windows supports signing via Kerberos, NTLM, or GSS-API.

Zimbra has created ZRFE-1978 to address this issue; it's not yet available in the Support Portal Bug Lookup, but should be soon.

It seems that signing these communications is a low-overhead way to prevent LDAP session hijacking and data tampering. You wouldn't think this would be an issue behind a corporate firewall, but I have too often found local networks to be as polluted with compromised devices as the open Internet.

Anyway... If your customer or company is doing AD authentication and you are planning to upgrade to Windows Server 2025, I'd suggest opening a Support Case with Zimbra now, to help prioritize getting ZRFE-1978 addressed sooner, and also to get the latest details on how to modify the relevant Windows Server 2025 GPO(s) to avoid "breaking AD Authentication in the interim.

Hope that helps,
Mark