[cifs-protocol] 120022021002221 MS-ADTS | Optional LDAP channel-binding in Windows

Sat Feb 29 08:50:03 UTC 2020

Hi Obaid,

Thanks for explaining this, I also found the description
ApplicationRequiresCBT in MS-KILE 3.2.5.8 AP Exchange, and 3.4.5,
which matches LdapEnforceChannelBindings=2, perhaps it would be a good
place to document LdapEnforceChannelBindings=1 as well.

Regards.

On Sat, Feb 29, 2020 at 1:50 AM Obaid Farooqi <obaidf at microsoft.com> wrote:
>
> The clients that support channel binding will include a channel binding regardless. The ones that are patched will include a proper channel binding and once that are not patched will include a channel binding of zeros.
>
> The clients that do not have channel binding capability will not include channel binding at all.
>
> I am looking into as to where to document this and will update you
>
> Please let me know if this does not answers your question.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Tom Jebo <tomjebo at microsoft.com>
> Sent: Thursday, February 20, 2020 4:19 PM
> To: Isaac Boukris <iboukris at gmail.com>; Stefan Metzmacher <metze at samba.org>; Simo Sorce <simo at redhat.com>; cifs-protocol at lists.samba.org
> Cc: support <support at mail.support.microsoft.com>
> Subject: RE: 120022021002221 MS-ADTS | Optional LDAP channel-binding in Windows
>
> [dochelp to bcc]
> [support to cc]
>
> Hi Isaac,
>
> Thank you for you question about LDAP channel-binding. One of the Open Specifications team members will respond to begin assisting you with this question. In the meantime, I've created case 120022021002221 to track and added the case number to the subject of this email. Please leave the case number in the subject and refer to it when communicating about this issue with us.
>
> Best regards,
> Tom Jebo
> Sr Escalation Engineer
> Microsoft Open Specifications
>
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Thursday, February 20, 2020 12:11 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>; Stefan Metzmacher <metze at samba.org>; Simo Sorce <simo at redhat.com>; cifs-protocol at lists.samba.org
> Subject: [EXTERNAL] MS-ADTS | Optional LDAP channel-binding in Windows
>
> Hello dochelp,
>
> Another question on channel-binding in LDAP, per:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4034879&data=02%7C01%7Cobaidf%40microsoft.com%7C12d9b9b9fb3f422bc70008d7b652e4f3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637178339457755001&sdata=YGyGiTWpcZBtlnLe1zpvoCP%2FGzE0nqOv84ATNfv0mZs%3D&reserved=0
>
> The documentation says that when LdapEnforceChannelBindings=1 only client that supports channel-bindings are required to provide it. Can you please document how does this work? How the server knows the client version to apply this logic?

Isaac