|
Ok I worked out how to disable it, there is one GPO setting
I hadn't seen previously, you can disable at the client with it via secpol.msc
assuming no domain level setting. As ~Eric pointed out, that is machine
specific, not connection specific.
The GPO setting is called "Network Security: LDAP client
signing requirements"
It impacts the reg key:
hklm\system\currentcontrolset\services\ldap , value is
ldapclientintegrity
0=no encryption
1=negotiate
2=must have
I will make a note to self to put a request into ladybug
next time I go into it.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 2:21 PM To: [email protected] Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 Using ldp.exe and
explicitly setting SIGN and ENCRYPT to 0 still results in encrypted
traffic. I think this is what you were implying earlier regarding Joe’s
GPO comments, but I wasn’t quite sure. Thus it looks like you can’t
disable this at all from the client. Can the behavior be changed at the
DC? Joe
K. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Eric
Fleischman ….and that’s a good DCR
IMHO. But that’s just me. :) From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Eric
Fleischman File a dcr if you’d
like that going forward, but today you can’t. Sorry. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe I don't believe I have
any signing enabled on the test box I trying this on. All GPO settings for
signing and encryption are off. I will doublecheck it
all though. Seems like you should
be able to disable this per connection with a
control.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Eric
Fleischman If you get NTLM
authentication and you’ve requested signing (which is the default) you’ll find
the traffic is encrypted. It is encrypting
because it appears to have ldapclientintegrity set (thanks to the wldap32 dev
that told me that, I didn’t see it). If you don’t want to
encrypt, flip this value. But note that this will decrypt all such connections
on the box, so this is not recommended. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rick
Kingslan So, joe and Joe – is
this indisputable truth that we’ve been looking for that NTLM is a required part
of the Kerberos authentication process? :-D
(Joe, just ask joe…..
trust me…..) -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Exactly. Since I can't
find documentation on this anywhere, I feel it should firmly go into the
classification of BUG. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED] That is exactly what I
saw as well. Using the IP address kills off the ability to use Kerberos,
forcing SNEGO to NTLM, and then the whole connection is encrypted after that
even though I did not specific LDAP_OPT_ENCRYPT. Joe
K. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe I can do better for
you... Fire up ethereal with a
capture filter of tcp port 389 Open
LDP o type in a DC name and
click OK o Type in your bind
info and bind o Click on view|tree
and hit enter on the empty dialog (you can fill something in if you want but not
necessary) Look at the trace, you
should note that the traffic on the tree view is all clear
text Now do the same but use
an IP address of the DC. Traffic should be all
encoded/encrypted. This message is for the designated
recipient only and may contain privileged, proprietary, or otherwise private
information. If you have received it in error, please notify the sender
immediately and delete the original. Any other use of the email by you is
prohibited. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. |
Title: Message
