Why does Active Directory synchronization not work on Windows Server 2025 when using LDAP?

Due to Windows default settings, this issue only occurs in Windows Server 2025 environments.

Issue

When LDAP is used without TLS and you attempt to synchronize users from Active Directory using Active Directory Sync in the Rublon Authentication Proxy, the synchronization fails and the following error appears in the logs:

2025-12-16 18:55:02,383 - ERROR   - Error occurred while synchronizing users. Error was: ConnectionError('Could not bind to the host: 10.22.10.47. Error was: ', {'result': 8, 'description': 'strongerAuthRequired', 'dn': '', 'message': '00002028: LdapErr: DSID-0C09035C, comment: The server requires binds to turn on integrity checking if SSL\\TLS are not already active on the connection, data 0, v65f4\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'})

Reason

Windows Server 2025 forces LDAP Signing by default, even on port 389.

Solution

The recommended solution is to switch to LDAPS for better security.

If it is not possible to switch to LDAPS, the solution is to disable LDAP Signing:

1. Select Start → Run, type mmc.exe, and then select OK.

2.  Go to Default Domain Controller Policy (or Local Computer Policy or Default Domain Policy, depending on configuration) → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options.

3. Find and set:

• Domain controller: LDAP server channel binding token requirements: "When Supported"

• Domain controller: LDAP server signing requirements: "None"

• Domain controller: LDAP server signing requirements Enforcement: "Disabled"

• Network security: LDAP client encryption requirements: "Negotiate Sealing"

• Network security: LDAP client signing requirements: "Negotiate Signing"

Helpful Links

Microsoft Learn - Issue with LDAP on Windows Server 2025

Microsoft Learn - How to configure the directory to require LDAP server signing for AD DS