<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<div>
<div dir="ltr">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
Hello,</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
<br>
</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
I have been able to set-up a Windows 2019 Domain, so I did some testing with simple and disgest-MD5. As expected both will be rejected when the integritylevel=2 is set. </div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
<br>
</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
For Digest-md5 it is enough to request Auth-int with AD to get over this check (funny enough it seems to not sign requests only the login).</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
<br>
</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
Here is some sample code and sample output:</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
<br>
</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
<a href="https://gist.github.com/ecki/cdd7a14575b7dca10da8d362974731a0">https://gist.github.com/ecki/cdd7a14575b7dca10da8d362974731a0</a></div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
<br>
</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
(The password used was not the one shown).</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
<br>
</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
BTW: in order to use DIGEST-MD5 with a AD user the user's password "encryption" must be configured to be reversible (and a new password must be set).</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
<br>
</div>
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); text-align: left;" dir="ltr">
Next will be testing with TLS (and channel binding) once I get the LDAP certificate set up for this.</div>
<div id="ms-outlook-mobile-signature">
<div style="direction: ltr;">-- </div>
<div style="direction: ltr;">http://bernd.eckenfels.net</div>
</div>
</div>
<div> </div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif"><b>Von:</b> Michael Osipov <1983-01-06@gmx.net><br>
<b>Gesendet:</b> Mittwoch, Dezember 18, 2019 6:37 PM<br>
<b>An:</b> Bernd Eckenfels; security-dev@openjdk.java.net<br>
<b>Betreff:</b> Re: Microsoft LDAP Channel Binding
<div> </div>
</font></div>
Am 2019-12-18 um 04:29 schrieb Bernd Eckenfels: <br>
> Hello, <br>
> <br>
> Microsoft just released an Security Advisory, announcing that upcoming Windows Server Versions will turn on mandatory TLS Channel Binding (and turn off simple binds with mandatory SASL signing) on LDAP Servers.
<br>
<br>
Another question here, typically Microsoft: What makes you think that <br>
this is TLS channel binding? All I see is LDAP channel binding for which <br>
I fail to find any technical documentation. <br>
<br>
Michael <br>
</div>
</body>
</html>