Microsoft LDAP Channel Binding

Bernd Eckenfels ecki at
Sat Dec 21 21:15:30 UTC 2019


I have been able to set-up a Windows 2019 Domain, so I did some testing with simple and disgest-MD5. As expected both will be rejected when the integritylevel=2 is set.

For Digest-md5 it is enough to request Auth-int with AD to get over this check (funny enough it seems to not sign requests only the login).

Here is some sample code and sample output:

(The password used was not the one shown).

BTW: in order to use DIGEST-MD5 with a AD user the user's password "encryption" must be configured to be reversible (and a new password must be set).

Next will be testing with TLS (and channel binding) once I get the LDAP certificate set up for this.

Von: Michael Osipov <1983-01-06 at>
Gesendet: Mittwoch, Dezember 18, 2019 6:37 PM
An: Bernd Eckenfels; security-dev at
Betreff: Re: Microsoft LDAP Channel Binding

Am 2019-12-18 um 04:29 schrieb Bernd Eckenfels:
> Hello,
> Microsoft just released an Security Advisory, announcing that upcoming Windows Server Versions will turn on mandatory TLS Channel Binding (and turn off simple binds with mandatory SASL signing) on LDAP Servers.

Another question here, typically Microsoft: What makes you think that
this is TLS channel binding? All I see is LDAP channel binding for which
I fail to find any technical documentation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list