Web Active Directory products often talk to Active Directory. These communications are secured using a programatically-created secure, signed and sealed channel. This means that all requests to and from Web Active Directory applications and Active Directory use tamper-proof Kerberos data encryption and Kerberos/NTLM authentication for the Active Directory bind account.
Review the information below for details on the communication channel security implementation. Communication goes over port 389 and not 636 (LDAPS…LDAP over SSL) and does not require a certificate, simplifying deployment while maintaining channel integrity.
Secure: Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client.
Signing: Verifies data integrity to ensure that the data received is the same as the data sent.
Sealing: Encrypts data using Kerberos.
Check out the AuthenticationTypes Enumeration Microsoft Knowledge Base article at https://msdn.microsoft.com/en-us/library/system.directoryservices.authenticationtypes.aspx for more information about these options and how it secures the communication channel from Web Active Directory applications to Active Directory.
To use LDAPS (LDAP over SSL) on port 636, you need to install a certificate. Check out http://support.microsoft.com/kb/321051 for instructions to do this with Active Directory.