Microsoft LDAP Channel Binding

Bernd Eckenfels ecki at
Wed Dec 18 22:11:37 UTC 2019


As I understand it, it is about the Extended Protection for Integrated Windows Authentication (probably only GSSAPI/Kerberos and GSS-SPNEGO/SSPCred which is not a OpenJDK mechanism).

 In this case it includes Channel binding tokens into the subject information. CBT are not per-se TLS specific, however for traffic in TLS channels they do bind to the TLS session or to the endpoint.

Some projects have implemented channel binding for IIS or WinRm already, for example here is a good discussion:


Von: Michael Osipov <1983-01-06 at>
Gesendet: Mittwoch, Dezember 18, 2019 6:37 PM
An: Bernd Eckenfels; security-dev at
Betreff: Re: Microsoft LDAP Channel Binding

Am 2019-12-18 um 04:29 schrieb Bernd Eckenfels:
> Hello,
> Microsoft just released an Security Advisory, announcing that upcoming Windows Server Versions will turn on mandatory TLS Channel Binding (and turn off simple binds with mandatory SASL signing) on LDAP Servers.

Another question here, typically Microsoft: What makes you think that
this is TLS channel binding? All I see is LDAP channel binding for which
I fail to find any technical documentation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list