-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to connect when LDAP Channel Binding is enabled #339
Comments
Hi! |
We've been trying to make this work as well. We use GSS-SPNEGO and code that looks like this:
Using the default Type1 flags (Net::NTLM::Message::Type1.new), it does not work. If I manipulate the flags, I can get it to be successful when I ask for sign and seal, but when watching it on wireshark, I don't see how it is any different than the default flags. I have yet to require channel binding and test it however: |
I will also try your code. Microsoft enforce channel binding or ldaps with the KB of march 2020. |
I have the same issue |
According the documentation here : https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes/#rc-invalidCredentials
|
I have done the implementation of the It's work for me with default AD settings. |
To handle the channel binding you can use Net::NTLM::Client, it creates type3 message using challenge(type2) and channel binding. ntlm_client = Net::NTLM::Client.new(user, pass, {domain: "XYZ"}) |
@raj-sharan could you please "beautify" your code example? |
I tried If on LDAP server-side, configuration flag But, according to Microsoft recommendations BTW, Is SSL/TLS config mandatory for ChannelBinding? Should it work without SSL certificates? Using Ldap::Client these encryption options etc:
|
Thanks for this comment, I don't have time this week to fix the |
Channel binding is an SSL/TLS concept only.
LDAP signing and sealing is a non-secure only concept too.
…On Thu, Jun 18, 2020 at 3:26 AM Bohdan Malets ***@***.***> wrote:
I tried ruby-net-ldap-gss-spnego gem, but it does not fully work for me:
If on LDAP server-side, configuration flag EnforceChannelBinding is set
to 1 -
authentication using "ruby-net-ldap-gss-spnego" adapter works fine.
But, according to Microsoft recommendations
<https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry>
EnforceChannelBinding value should be changed to 2.
In this case, authentication is broken: LDAP server returns "LDAP
Error-code: 49 (Invalid Credentials)" without more details
BTW, Is SSL/TLS config mandatory for ChannelBinding? Should it work
without SSL certificates? Using Ldap::Client these encryption options etc:
encryption: {
method: :timple_tls,
tls_options: {verify_mode: OpenSSL::SSL::VERIFY_NONE}
}
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#339 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACXAZGT23B2NCDTPH7QLRTRXHTTRANCNFSM4J33PZEA>
.
|
As Channel binding is an SSL/TLS concept only - I added SSL/TLS settings to my LDAP configurations. require 'net/ldap'
require 'net/ldap/auth_adapter/gss_spnego'
ldap_options = {
hosts: [
['ldap_hostname.lan', 636]
],
base: 'DC=ldap_hostname,DC=lan',
encryption: {
method: :simple_tls,
tls_options: {
ca_file: '/full/path/to/cert.pem',
ssl_version: 'TLSv1_2'
}
},
auth: {
auth_method: 'GSS-SPNEGO',
username: 'bmalets', # username, not DN
password: 'password'
}
}
ldap = Net::LDAP.new(ldap_options)
# When LDAP server registry settings are:
# LDAPServerIntegrity = 2 (Always sign (Level 2))
# LdapEnforceChannelBinding = 1 (DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.)
ldap.bind
ldap.get_operation_result # => 0. Success
# When LDAP server registry settings are:
# LDAPServerIntegrity = 2 (Always sign (Level 2))
# LdapEnforceChannelBinding = 2 (DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.)
ldap.bind
ldap.get_operation_result # => Error-code: 49. Invalid Credentials |
@bmalets, You should try this
|
LDAPServerIntegrity and LdapEnforceChannelBinding are mutually
exclusive. The reason your example didn't work is you changed
LdapEnforceChannelBinding from 1 to 2. If you repeat that test with
only changing LDAPServerIntegrity from 1 to 2 but leaving
LdapEnforceChannelBinding at 1, it will work and prove that
LDAPServerIntegrity doesn't matter when using SSL/TLS (which is what
MS says is the case).
…On Mon, Jun 22, 2020 at 3:52 AM Bohdan Malets ***@***.***> wrote:
More detailed example when signing and binding don't want to work together:
require 'net/ldap'require 'net/ldap/auth_adapter/gss_spnego'
ldap_options = {
hosts: [
['ldap_hostname.lan', 636]
],
base: 'DC=ldap_hostname,DC=lan',
encryption: {
method: :simple_tls,
tls_options: {
ca_file: '/full/path/to/cert.pem',
ssl_version: 'TLSv1_2'
}
},
auth: {
auth_method: :gss_spnego,
username: 'bmalets' # username, not DN
password: 'password'
}}
ldap = Net::LDAP.new(ldap_options)
# When LDAP server registry settings are:# LDAPServerIntegrity = 2 (Always sign (Level 2))# LdapEnforceChannelBinding = 1 (DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.)
ldap.bindldap.get_operation_result # => 0. Success
# When LDAP server registry settings are:# LDAPServerIntegrity = 2 (Always sign (Level 2))# LdapEnforceChannelBinding = 2 (DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.)
ldap.bindldap.get_operation_result # => Error-code: 49. Invalid Credentials
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#339 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACXAZH7V2CLWTXSMJWWVYDRX4ZYLANCNFSM4J33PZEA>
.
|
@smlsml, thank you for your answer. I got only one page about MS update recommendations with this message:
But LDAP server that I am trying to connect is MS 2012, so it definitely does not affect my case. So, "49. Invalid Credentials" response is an expected behavior when
Is it correct? 🤔 |
Trying to connect to AD by enforcing the LDAP Channel Binding ()
Ending up with the below error
The text was updated successfully, but these errors were encountered: