[cifs-protocol] [MS-NLMP] Trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working - TrackingID#2309280040006657

Jeff McCashland (He/him) jeffm at microsoft.com
Thu Sep 28 16:32:39 UTC 2023 

[HC to BCC, adding later response]

Hi Metze,

I will file a request to update the documentation and follow up. 

Thank you for letting us know. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

From: Stefan Metzmacher <metze at samba.org> 
Sent: Thursday, September 28, 2023 7:58 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] Re: [cifs-protocol] LdapEnforceChannelBinding details


Ok, I've looked at the openldap code and found out that I have to prefix this with "tls-server-end-point:".

With that I got it working...

However these details would be good to have in MS-ADTS.

metze

-----Original Message-----
From: Hung-Chun Yu <HungChun.Yu at microsoft.com> 
Sent: Thursday, September 28, 2023 8:01 AM
To: metze <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; Hung-Chun Yu <HungChun.Yu at microsoft.com>; Microsoft Support <supportmail at microsoft.com>
Subject: [MS-NLMP] Trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working - TrackingID#2309280040006657

[bcc dochelp]

Hi Metze

Thank you for contacting Protocol Support. We created SR Case - TrackingID#2309280040006657 to track the issue.
Please do leave this tag - TrackingID#2309280040006657 in the subject for future reference.

One our engineers will be contacting you shortly.

Hung-Chun Yu
hunyu at microsoft.com
DevOps Customer Service & Support

My working hours are Monday to Friday 9am-6pm PST If you need assistance outside of my working hours, please call and request to work with the next available engineer:

Our Premier Support line may be reached 24x7 at 1-800-936- 3100 Our Government Premier Support Number is 1-800-936-3200 Our Professional Support Number 1-800-936-5800 Providing excellent support is my primary objective. 
Feel free to reach out to my manager to provide feedback:
Gary Ranne, garyra at microsoft.com
For devops escalations please contact stacy gray Stacy Gray, stacygr at microsoft.com

-----Original Message-----
From: Stefan Metzmacher <metze at samba.org>
Sent: Thursday, September 28, 2023 7:20 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] LdapEnforceChannelBinding details

Hi DocHelp,

I'm trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working.

MS-NLMP specifies ClientChannelBindingsUnhashed and ServerChannelBindingsUnhashed as input from the application.

MS-ADTS 5.1.2.2 Using SSL/TLS specifies that "tls-server-endpoint"
channel bindings should be used.

Can you please document with examples values how ServerChannelBindingsUnhashed is constructed.

I'm getting these 32 bytes from gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)

[0000] 84 84 FE 71 87 5F 0E 25   9B 7C 0D AA 40 7C DF D9   ...q._.% .|..@|..
[0010] 57 B4 4C 6B 8B EB 1E FC   3C 84 27 5D CE 72 AD E2   W.Lk.... <.'].r..

And I'm also getting this when I manually copy the certificate blob from the TLS1.2 Server Certificate message and do a sha256sum on it.

I tried the following already.

4-zero bytes for initiator_addrtype
4-zero bytes for initiator_address.length 4-zero bytes for acceptor_addrtype 4-zero bytes for acceptor_address.length
4 little endian bytes for '32' application_data.length
32 bytes for application_data.data

[0000] 00 00 00 00                                         ....
[0000] 00 00 00 00                                         ....
[0000] 00 00 00 00                                         ....
[0000] 00 00 00 00                                         ....
[0000] 20 00 00 00                                          ...
[0000] 84 84 FE 71 87 5F 0E 25   9B 7C 0D AA 40 7C DF D9   ...q._.% .|..@|..
[0010] 57 B4 4C 6B 8B EB 1E FC   3C 84 27 5D CE 72 AD E2   W.Lk.... <.'].r..

And the resulting MD5 hash over all of this is:
[0000] 00 3D 9C 0F D6 63 38 B1   B0 F8 53 63 A8 0A C8 6D   .=...c8. ..Sc...m

And I put this into the MTLMv2 exchange:

     pair: struct AV_PAIR
         AvId                     : MsvChannelBindings (0xA)
         AvLen                    : 0x0010 (16)
         Value                    : union ntlmssp_AvValue(case 0xA)
         ChannelBindings          : 003d9c0fd66338b1b0f85363a80ac86d

LDAP error 49 LDAP_INVALID_CREDENTIALS -  <80090346: LdapErr: DSID-0C0905E2, comment: AcceptSecurityContext error, data 80090346, v3839>

80090346 is HRES_SEC_E_BAD_BINDINGS

Can you please clarify this?

Thanks!
metze

More information about the cifs-protocol mailing list