Microsoft is releasing a security update (ADV190023) with below changes to Active Directory Domain Controllers.
Important! The March 10, 2020 and Microsoft updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.

1. Enable LDAP channel binding
2. Enable LDAP signing 

For more details on the Microsoft update please refer to below link:

• https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536

• LDAP Channel Binding: There is no behaviour difference in ADC/Gateway due to this change.
• LDAP Server Signing: ADC works fine over SSL/636 and TLS/389. However, ADC/Gateway authentication is getting rejected over plaintext/389

 “Dec 16 10:00:54 <local1.info> ns [1277]: (1-414) ns_show_ldap_err_string: LDAP error string: <<00002028: LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580>>                                                      Dec 16 10:00:54 <local1.info> ns [1277]: (1-414) ns_ldap_check_result: LDAP action failed (error 8): Strong(er) authentication required”

• CLI Command O/P for LdapProfile on Citrix ADC/Gateway:
  • set  authentication ldapAction ldapssl -serverIP 10.102.229.87 -serverPort 636 -secType SSL 
    • Or
  • set authentication ldapAction ldapssl -serverIP 10.102.229.87 -serverPort 389 -secType TLS 
• GUI Command O/P for LdapProfile on Citrix ADC/Gateway