[cifs-protocol] [MS-NLMP] Trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working - TrackingID#2309280040006657
Jeff McCashland (He/him)
jeffm at microsoft.com
Thu Sep 28 16:32:39 UTC 2023
[HC to BCC, adding later response]
Hi Metze,
I will file a request to update the documentation and follow up.
Thank you for letting us know.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
From: Stefan Metzmacher <metze at samba.org>
Sent: Thursday, September 28, 2023 7:58 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] Re: [cifs-protocol] LdapEnforceChannelBinding details
Ok, I've looked at the openldap code and found out that I have to prefix this with "tls-server-end-point:".
With that I got it working...
However these details would be good to have in MS-ADTS.
metze
-----Original Message-----
From: Hung-Chun Yu <HungChun.Yu at microsoft.com>
Sent: Thursday, September 28, 2023 8:01 AM
To: metze <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; Hung-Chun Yu <HungChun.Yu at microsoft.com>; Microsoft Support <supportmail at microsoft.com>
Subject: [MS-NLMP] Trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working - TrackingID#2309280040006657
[bcc dochelp]
Hi Metze
Thank you for contacting Protocol Support. We created SR Case - TrackingID#2309280040006657 to track the issue.
Please do leave this tag - TrackingID#2309280040006657 in the subject for future reference.
One our engineers will be contacting you shortly.
Hung-Chun Yu
hunyu at microsoft.com
DevOps Customer Service & Support
My working hours are Monday to Friday 9am-6pm PST If you need assistance outside of my working hours, please call and request to work with the next available engineer:
Our Premier Support line may be reached 24x7 at 1-800-936- 3100 Our Government Premier Support Number is 1-800-936-3200 Our Professional Support Number 1-800-936-5800 Providing excellent support is my primary objective.
Feel free to reach out to my manager to provide feedback:
Gary Ranne, garyra at microsoft.com
For devops escalations please contact stacy gray Stacy Gray, stacygr at microsoft.com
-----Original Message-----
From: Stefan Metzmacher <metze at samba.org>
Sent: Thursday, September 28, 2023 7:20 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] LdapEnforceChannelBinding details
Hi DocHelp,
I'm trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working.
MS-NLMP specifies ClientChannelBindingsUnhashed and ServerChannelBindingsUnhashed as input from the application.
MS-ADTS 5.1.2.2 Using SSL/TLS specifies that "tls-server-endpoint"
channel bindings should be used.
Can you please document with examples values how ServerChannelBindingsUnhashed is constructed.
I'm getting these 32 bytes from gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)
[0000] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|..
[0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk.... <.'].r..
And I'm also getting this when I manually copy the certificate blob from the TLS1.2 Server Certificate message and do a sha256sum on it.
I tried the following already.
4-zero bytes for initiator_addrtype
4-zero bytes for initiator_address.length 4-zero bytes for acceptor_addrtype 4-zero bytes for acceptor_address.length
4 little endian bytes for '32' application_data.length
32 bytes for application_data.data
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 20 00 00 00 ...
[0000] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|..
[0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk.... <.'].r..
And the resulting MD5 hash over all of this is:
[0000] 00 3D 9C 0F D6 63 38 B1 B0 F8 53 63 A8 0A C8 6D .=...c8. ..Sc...m
And I put this into the MTLMv2 exchange:
pair: struct AV_PAIR
AvId : MsvChannelBindings (0xA)
AvLen : 0x0010 (16)
Value : union ntlmssp_AvValue(case 0xA)
ChannelBindings : 003d9c0fd66338b1b0f85363a80ac86d
LDAP error 49 LDAP_INVALID_CREDENTIALS - <80090346: LdapErr: DSID-0C0905E2, comment: AcceptSecurityContext error, data 80090346, v3839>
80090346 is HRES_SEC_E_BAD_BINDINGS
Can you please clarify this?
Thanks!
metze
More information about the cifs-protocol
mailing list