LDAPS – EWS Free Area

🔐 Why You Cannot “Switch Exchange to LDAPS (636)” — and Why You Don’t Need To

Why Exchange cannot use LDAPS (636) — and why it doesn’t need to. Auditors often require “LDAPS everywhere,” but Exchange relies on LDAP over SASL (Kerberos/NTLM), which already provides encryption and integrity via signing/sealing on ports 389/3268. No plaintext data is ever transmitted. This post explains the architectural reasons, shows packet captures, and provides a…

November 26, 2025

🔐 Why You Cannot “Switch Exchange to LDAPS (636)” — and Why You Don’t Need To