LDAP Channel Binding

Thu Jan 16 10:32:23 UTC 2020

Hello,

Some updates:

Microsoft moved their automatic update of the LDAP policies in Windows Server updates to March 2020 (but still recommend to activate it earlier).

And I did some tests: when you turn on the mandatory LDAP Signing, then simple binds or Digest-md5 binds over LDAP are rejected by NTDS. Both work over ldaps: (Implicite TLS, did not check STARTTLS). DIGEST-MD5 without TLS is also possible, but you have to request qop=auth-int. (Sidenode AD will reject digest-md5 with Auth-int over TLS). I did not Test GSSAPI or SPNEGO yet.

The mandatory LDAP channel binding does not seem to make a problem/change. I suspect it only applies to Kerberos or NTLM which I still need to test.

Gruss
Bernd

PS: testcode https://gist.github.com/ecki/cdd7a14575b7dca10da8d362974731a0

--
http://bernd.eckenfels.net

On Wed, Dec 18, 2019 at 4:17 AM +0100, <bernd-2019 at eckenfels.net<mailto:bernd-2019 at eckenfels.net>> wrote:

Hello,

Microsoft just released an Security Advisory, announcing that upcoming Windows Server Versions will turn on mandatory TLS Channel Binding (or signing) on LDAP Servers. They also remind Administrators to install the KB patch and turn it on.

Do you have experiences with this, will Java (8) work with the setting of "mandatory is supported" (1) and/or "mandatory" (2) for this key, and if not what is the plan here?

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

Gruss
Bernd
--
http://bernd.eckenfels.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200116/b514065f/attachment.htm>