-
Notifications
You must be signed in to change notification settings - Fork 265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't bind using NTLM and specific AD settings #1049
Comments
Hi! If a PKI is deployed within your AD environment (through ADCS for example), maybe you can try to use TLS authentication in your script. TLS authentication is, by design, not subject to Channel Binding. See #1032 Hope it helps 👍 🌻 |
Thanks @ThePirateWhoSmellsOfSunflowers for quick answer. As I understand, I can't have Channel Binding enabled at all, no matter if I use TLS You've mentioned or the solution won't work? |
If you want to keep this (which is a good security hardening recommended by Microsoft btw) :
you can no longer use password based authentication with ldap3 (more information about Channel Binding here). However, as a workaround, you can still use certificate based authentication, because ldap3 supports it and Channel Binding has nothing to do with certificate authentication, so it's good for your script. On the one hand, you keep your AD environment secure (the two options are enabled), but on the other hand, your Domain Controller needs to trust your certificates, so Active Directory Certificate Services (ADCS) needs to be deployed within your AD env. You can also disable Channel Binding, and your script will work again with password, but as a security professional I can't recommend that to you 😆 🌻 |
@ThePirateWhoSmellsOfSunflowers thank You again, that's what my eyes wanted to see :) Kudos! |
@nowak-ninja if you use kerberos (gssapi) authentication, that will also work! The ldap3 library supports channel binding with kerberos, using the gssapi library on unix and winkerberos on windows. Depending on your setup, this might be easier than certificate based auth. You can turn username/password -> kerberos credential; on unix gssapi supports it, but on windows the winkerberos library won’t do it natively (though you can shell out and run kinit.exe to do it). |
Thank You @zorn96, as it sounds great I am aware I am not fully armed with knowledge on how to do this :) Is there any howto related? PS. I have followed library manual: https://ldap3.readthedocs.io/en/latest/bind.html#kerberos
Honestly, I am doing blind tries. Got kerberos token with kinit and can view it with klist, but dunno what to do further with that:
|
Can you try this ?
|
Hey @ThePirateWhoSmellsOfSunflowers, I tried but without any change on the output. It reads Kerberos ticket/token because if it expires I will get that:
After I do Anyway, thx for Your time and support <3 |
You can also check out the ms_active_directory library (full disclosure: I maintain it). It builds on the ldap3 library and has support for automatically configuring your laptop for kerberos with a domain based on automatically discovering domain resources in DNS (though you can also set them yourself) one note in general for kerberos is that you need dns to use it properly. Kerberos won’t really work with IP addresses |
Dear @ThePirateWhoSmellsOfSunflowers @zorn96 I have played a bit with configuration and this is what I have found so far:
code: https://pastebin.com/72TWT8Ux PS. Where I can find an example how to setup 509x cert for authentication (ADCS)? |
Hey, I have working solution which uses this great ldap3 library. My security team is going to enable some options in AD at some point, so I had to test the solution and it seems these changes break current solution.
Changes in AD:
The second option one does not affect my script, but the first one causes problems like:
After some reading, this is how I setup the connection now:
I have added
conn.bind()
which wasn't there before andauto_bind=True
wasn't commented. I am AD/LDAP newbie, hence I would like to ask if I am missing something here or such option changes in AD are not compatible with this library and I have to look for other ways to solve this?I have searched through issues and found this: #923 hoping for solution, but it looks like dead end.
The text was updated successfully, but these errors were encountered: