RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[Eric Fleischman]

Title: Message

File a dcr if you’d like that going forward, but today you can’t. Sorry. ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2   I don't believe I have any signing enabled on the test box I trying this on. All GPO settings for signing and encryption are off.   I will doublecheck it all though.   Seems like you should be able to disable this per connection with a control.     joe       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 28, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 If you get NTLM authentication and you’ve requested signing (which is the default) you’ll find the traffic is encrypted.   It is encrypting because it appears to have ldapclientintegrity set (thanks to the wldap32 dev that told me that, I didn’t see it). If you don’t want to encrypt, flip this value. But note that this will decrypt all such connections on the box, so this is not recommended.   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 26, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2   So, joe and Joe – is this indisputable truth that we’ve been looking for that NTLM is a required part of the Kerberos authentication process?   :-D    (Joe, just ask joe….. trust me…..)   -rtk   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2   Exactly. Since I can't find documentation on this anywhere, I feel it should firmly go into the classification of BUG.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 1:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 That is exactly what I saw as well.  Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT.   Joe K.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 24, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2   I can do better for you...   Fire up ethereal with a capture filter of tcp port 389   Open LDP   o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary)   Look at the trace, you should note that the traffic on the tree view is all clear text   Now do the same but use an IP address of the DC.   Traffic should be all encoded/encrypted.     This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.