[cifs-protocol] [EXTERNAL] Re: 120022021002221 MS-ADTS | Optional LDAP channel-binding in Windows
Obaid Farooqi
obaidf at microsoft.com
Sun Mar 8 18:13:57 UTC 2020
Hi Isaac:
I found the MS-ADTS section "5.1.2 Message Security" to be most appropriate for this information. So I filed a bug against MS-ADTS.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com
-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com>
Sent: Saturday, February 29, 2020 2:50 AM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: Stefan Metzmacher <metze at samba.org>; Simo Sorce <simo at redhat.com>; cifs-protocol at lists.samba.org; support <support at mail.support.microsoft.com>; Greg Hudson <ghudson at mit.edu>
Subject: [EXTERNAL] Re: 120022021002221 MS-ADTS | Optional LDAP channel-binding in Windows
Hi Obaid,
Thanks for explaining this, I also found the description ApplicationRequiresCBT in MS-KILE 3.2.5.8 AP Exchange, and 3.4.5, which matches LdapEnforceChannelBindings=2, perhaps it would be a good place to document LdapEnforceChannelBindings=1 as well.
Regards.
On Sat, Feb 29, 2020 at 1:50 AM Obaid Farooqi <obaidf at microsoft.com> wrote:
>
> The clients that support channel binding will include a channel binding regardless. The ones that are patched will include a proper channel binding and once that are not patched will include a channel binding of zeros.
>
> The clients that do not have channel binding capability will not include channel binding at all.
>
> I am looking into as to where to document this and will update you
>
> Please let me know if this does not answers your question.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Tom Jebo <tomjebo at microsoft.com>
> Sent: Thursday, February 20, 2020 4:19 PM
> To: Isaac Boukris <iboukris at gmail.com>; Stefan Metzmacher
> <metze at samba.org>; Simo Sorce <simo at redhat.com>;
> cifs-protocol at lists.samba.org
> Cc: support <support at mail.support.microsoft.com>
> Subject: RE: 120022021002221 MS-ADTS | Optional LDAP channel-binding
> in Windows
>
> [dochelp to bcc]
> [support to cc]
>
> Hi Isaac,
>
> Thank you for you question about LDAP channel-binding. One of the Open Specifications team members will respond to begin assisting you with this question. In the meantime, I've created case 120022021002221 to track and added the case number to the subject of this email. Please leave the case number in the subject and refer to it when communicating about this issue with us.
>
> Best regards,
> Tom Jebo
> Sr Escalation Engineer
> Microsoft Open Specifications
>
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Thursday, February 20, 2020 12:11 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>;
> Stefan Metzmacher <metze at samba.org>; Simo Sorce <simo at redhat.com>;
> cifs-protocol at lists.samba.org
> Subject: [EXTERNAL] MS-ADTS | Optional LDAP channel-binding in Windows
>
> Hello dochelp,
>
> Another question on channel-binding in LDAP, per:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp
> ort.microsoft.com%2Fen-us%2Fhelp%2F4034879&data=02%7C01%7Cobaidf%4
> 0microsoft.com%7Cb1b8878b7b2041af076e08d7bcf4661c%7C72f988bf86f141af91
> ab2d7cd011db47%7C1%7C0%7C637185630180966255&sdata=VLJLaVAqWHWzImv%
> 2FHkITlWuTNAkDUP38On5ieupJa%2B8%3D&reserved=0
>
> The documentation says that when LdapEnforceChannelBindings=1 only client that supports channel-bindings are required to provide it. Can you please document how does this work? How the server knows the client version to apply this logic?
Isaac
More information about the cifs-protocol
mailing list