|
Using ldp.exe and explicitly setting SIGN
and ENCRYPT to 0 still results in encrypted traffic. I think this is what you
were implying earlier regarding Joe’s GPO comments, but I wasn’t
quite sure. Thus it looks like you can’t disable this at all from the
client. Can the behavior be changed at the DC? Joe K. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman ….and that’s a good DCR IMHO.
But that’s just me. :) From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Eric Fleischman File a dcr if you’d like that going
forward, but today you can’t. Sorry. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe I don't believe I have any signing enabled
on the test box I trying this on. All GPO settings for signing and
encryption are off. I will doublecheck it all though. Seems like you should be able to disable
this per connection with a control. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman If you get NTLM authentication and
you’ve requested signing (which is the default) you’ll find the
traffic is encrypted. It is encrypting because it appears to
have ldapclientintegrity set (thanks to the wldap32 dev that told me that, I
didn’t see it). If you don’t want to encrypt, flip
this value. But note that this will decrypt all such connections on the box, so
this is not recommended. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan So, joe and Joe – is this
indisputable truth that we’ve been looking for that NTLM is a required
part of the Kerberos authentication process? :-D (Joe, just ask joe….. trust
me…..) -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Exactly. Since I can't find documentation
on this anywhere, I feel it should firmly go into the classification of BUG. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] That is exactly what I saw as well.
Using the IP address kills off the ability to use Kerberos, forcing SNEGO to
NTLM, and then the whole connection is encrypted after that even though I did
not specific LDAP_OPT_ENCRYPT. Joe K. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe I can do better for you... Fire up ethereal with a capture filter of
tcp port 389 Open LDP o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the
empty dialog (you can fill something in if you want but not necessary) Look at the trace, you should note that
the traffic on the tree view is all clear text Now do the same but use an IP address of
the DC. Traffic should be all encoded/encrypted. This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. |
Title: Message
