RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[Dean Wells]

Title: Message

LOL! -- Dean Wells MSEtechnology * Email: dwells@msetechnology.com http://msetechnology.com   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 26, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 So, joe and Joe – is this indisputable truth that we’ve been looking for that NTLM is a required part of the Kerberos authentication process?   :-D    (Joe, just ask joe….. trust me…..)   -rtk   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2   Exactly. Since I can't find documentation on this anywhere, I feel it should firmly go into the classification of BUG.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 1:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 That is exactly what I saw as well.  Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT.   Joe K.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 24, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2   I can do better for you...   Fire up ethereal with a capture filter of tcp port 389   Open LDP   o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary)   Look at the trace, you should note that the traffic on the tree view is all clear text   Now do the same but use an IP address of the DC.   Traffic should be all encoded/encrypted.     This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.