LDAP Channel Binding
Bernd Eckenfels
ecki at zusammenkunft.net
Thu Jan 16 10:32:23 UTC 2020
Hello,
Some updates:
Microsoft moved their automatic update of the LDAP policies in Windows Server updates to March 2020 (but still recommend to activate it earlier).
And I did some tests: when you turn on the mandatory LDAP Signing, then simple binds or Digest-md5 binds over LDAP are rejected by NTDS. Both work over ldaps: (Implicite TLS, did not check STARTTLS). DIGEST-MD5 without TLS is also possible, but you have to request qop=auth-int. (Sidenode AD will reject digest-md5 with Auth-int over TLS). I did not Test GSSAPI or SPNEGO yet.
The mandatory LDAP channel binding does not seem to make a problem/change. I suspect it only applies to Kerberos or NTLM which I still need to test.
Gruss
Bernd
PS: testcode https://gist.github.com/ecki/cdd7a14575b7dca10da8d362974731a0
--
http://bernd.eckenfels.net
On Wed, Dec 18, 2019 at 4:17 AM +0100, <bernd-2019 at eckenfels.net<mailto:bernd-2019 at eckenfels.net>> wrote:
Hello,
Microsoft just released an Security Advisory, announcing that upcoming Windows Server Versions will turn on mandatory TLS Channel Binding (or signing) on LDAP Servers. They also remind Administrators to install the KB patch and turn it on.
Do you have experiences with this, will Java (8) work with the setting of "mandatory is supported" (1) and/or "mandatory" (2) for this key, and if not what is the plan here?
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry
Gruss
Bernd
--
http://bernd.eckenfels.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200116/b514065f/attachment.htm>
More information about the security-dev
mailing list