[bcc dochelp] Hi Metze
Thank you for contacting Protocol Support. We created SR Case - TrackingID#2309280040006657 to track the issue. Please do leave this tag - TrackingID#2309280040006657 in the subject for future reference. One our engineers will be contacting you shortly. Hung-Chun Yu hu...@microsoft.com DevOps Customer Service & Support My working hours are Monday to Friday 9am-6pm PST If you need assistance outside of my working hours, please call and request to work with the next available engineer: Our Premier Support line may be reached 24x7 at 1-800-936- 3100 Our Government Premier Support Number is 1-800-936-3200 Our Professional Support Number 1-800-936-5800 Providing excellent support is my primary objective. Feel free to reach out to my manager to provide feedback: Gary Ranne, gar...@microsoft.com For devops escalations please contact stacy gray Stacy Gray, stac...@microsoft.com -----Original Message----- From: Stefan Metzmacher <me...@samba.org> Sent: Thursday, September 28, 2023 7:20 AM To: Interoperability Documentation Help <doch...@microsoft.com> Cc: cifs-protocol@lists.samba.org Subject: [EXTERNAL] LdapEnforceChannelBinding details Hi DocHelp, I'm trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working. MS-NLMP specifies ClientChannelBindingsUnhashed and ServerChannelBindingsUnhashed as input from the application. MS-ADTS 5.1.2.2 Using SSL/TLS specifies that "tls-server-endpoint" channel bindings should be used. Can you please document with examples values how ServerChannelBindingsUnhashed is constructed. I'm getting these 32 bytes from gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT) [0000] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|.. [0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk.... <.'].r.. And I'm also getting this when I manually copy the certificate blob from the TLS1.2 Server Certificate message and do a sha256sum on it. I tried the following already. 4-zero bytes for initiator_addrtype 4-zero bytes for initiator_address.length 4-zero bytes for acceptor_addrtype 4-zero bytes for acceptor_address.length 4 little endian bytes for '32' application_data.length 32 bytes for application_data.data [0000] 00 00 00 00 .... [0000] 00 00 00 00 .... [0000] 00 00 00 00 .... [0000] 00 00 00 00 .... [0000] 20 00 00 00 ... [0000] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|.. [0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk.... <.'].r.. And the resulting MD5 hash over all of this is: [0000] 00 3D 9C 0F D6 63 38 B1 B0 F8 53 63 A8 0A C8 6D .=...c8. ..Sc...m And I put this into the MTLMv2 exchange: pair: struct AV_PAIR AvId : MsvChannelBindings (0xA) AvLen : 0x0010 (16) Value : union ntlmssp_AvValue(case 0xA) ChannelBindings : 003d9c0fd66338b1b0f85363a80ac86d LDAP error 49 LDAP_INVALID_CREDENTIALS - <80090346: LdapErr: DSID-0C0905E2, comment: AcceptSecurityContext error, data 80090346, v3839> 80090346 is HRES_SEC_E_BAD_BINDINGS Can you please clarify this? Thanks! metze _______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol