information icon

Microsoft forces secure connections to Domain Controller from March onwards


In March, Microsoft will suppress insecure connection requests to Windows domain controllers. This change was announced in August. NoSpamProxy customers can sit back and relax because they only have to check the Active Directory synchronization of NoSpamProxy – in case this hasn’t already been done. If necessary, firewall ports will have to be adjusted.

What needs to be changed in NoSpamProxy?

The connections to the Active Directory are maintained under People and Identities > Domains and Users. By default, the connections to the domain controller are unencrypted. To activate encryption, the checkbox “Enable encryption (recommended)” must be set in the properties of the automatic user import on the “Active Directory Connection” tab. From now on, all connections to the domain controller will be encrypted. If a firewall exists between the server with the intranet role and the domain controller, ports may have to be adapted. Please use the following table as an orientation for which ports are used with which settings:

Server selectionUnencryptedEncrypted
Auto-discover and use a global catalog server3268 TCP3269 TCP
Auto-discover and use a standard domain controller389 TCP636 TCP
Use a specific domain controller389 TCP636 TCP

Further information on the modification

If you need more information and background on the upcoming change, please visit the Frank Carius page. On his page you will find a comprehensive article (German only).