Hello, I have been able to set-up a Windows 2019 Domain, so I did some testing with simple and disgest-MD5. As expected both will be rejected when the integritylevel=2 is set.
For Digest-md5 it is enough to request Auth-int with AD to get over this check (funny enough it seems to not sign requests only the login). Here is some sample code and sample output: https://gist.github.com/ecki/cdd7a14575b7dca10da8d362974731a0 (The password used was not the one shown). BTW: in order to use DIGEST-MD5 with a AD user the user's password "encryption" must be configured to be reversible (and a new password must be set). Next will be testing with TLS (and channel binding) once I get the LDAP certificate set up for this. -- http://bernd.eckenfels.net ________________________________ Von: Michael Osipov <1983-01...@gmx.net> Gesendet: Mittwoch, Dezember 18, 2019 6:37 PM An: Bernd Eckenfels; security-dev@openjdk.java.net Betreff: Re: Microsoft LDAP Channel Binding Am 2019-12-18 um 04:29 schrieb Bernd Eckenfels: > Hello, > > Microsoft just released an Security Advisory, announcing that upcoming > Windows Server Versions will turn on mandatory TLS Channel Binding (and turn > off simple binds with mandatory SASL signing) on LDAP Servers. Another question here, typically Microsoft: What makes you think that this is TLS channel binding? All I see is LDAP channel binding for which I fail to find any technical documentation. Michael
