LDAPS with ActiveDirectoryMembershipProvider on ASP.Net Webforms - active-directory

I have set the ActiveDirectoryMembershipProvider connectionProtection attribute to secure, according to MSDN documentation states that when this is set to secure the following holds:
"The ActiveDirectoryMembershipProvider class will attempt to connect to Active Directory using SSL. If SSL fails, a second attempt to connect to Active Directory using sign-and-seal will be made. If both attempts fail, the ActiveDirectoryMembershipProvider instance will throw a ProviderException exception."
The code works and queries can be made against the LDAP but one issue that has me a little confused is that my connection string is prefixed with LDAP and not LDAPS. Changing this to LDAPS results in the following error:
"Parser Error Message: Error HRESULT E_FAIL has been returned from a call to a COM component."
What is happening here? In the first instance where the connection string is simply LDAP is SSL being used? The documentation indicates that if it is not, an exception should be thrown. If not, then what would be the likely cause for this error in this context?

As far as I know, all the LDAP DN's (distinguished names) always have an LDAP only prefix - whether they're over a secure link or not. The secure aspect typically shows up by means of the port on the server being used, 389 being the default for non-secure, and 636 being the default for a secure communication.
But the spec of the LDAP distinguished names doesn't have a LDAPS prefix, really. I've done a lot of LDAP work a few years ago, and I do remember having to deal with different ports for trusted or secured communications, but I never once had a full-qualified LDAP path have anything else but an LDAP:// prefix (case sensitive, too!).

The LDAP:// prefix is used both for clear and SSL connections, to check whether the communication is indeed under SSL try step 3 of this blog entry http://erlend.oftedal.no/blog/?blogid=7

Related

What does this LDAP traffic signify? "<ROOT>" baseObject

The requesting host is compromised, sending traffic to the DC (the former is running Sharphound to perform recon - though I don't know if that is a part of this). I am very new to LDAP and am clueless as to what this means. Is this malicious? The details are below, any help would be appreciated!
For regular LDAP over TCP, the "null DN" entry (indicated as <ROOT> by Wireshark) is often called the "rootDSE", and is used for protocol negotiation – it contains attributes indicating what LDAP protocol extensions are supported by the server. For example, whenever an LDAP client wants to use SASL authentication or StartTLS, it first makes a query for the rootDSE entry to make sure that's available:
$ ldapsearch -x -b "" -s base + \*
[...]
supportedControl: 1.3.6.1.1.13.1 # 'pre-read' control supported
supportedExtension: 1.3.6.1.4.1.1466.20037 # StartTLS supported
supportedExtension: 1.3.6.1.4.1.4203.1.11.1 # password change supported
supportedFeatures: 1.3.6.1.1.14 # 'Increment' operation supported
supportedSASLMechanisms: GSSAPI # Kerberos authentication supported
[...]
(The rootDSE also has some AD-specific parameters, but that's not its main purpose.)
Seeing such requests over TCP is normal for any LDAP communications.
The CLDAP request over UDP is a slightly different thing – it's an Netlogon ping used by Windows AD clients to quickly check communications with a domain controller. It serves a similar purpose as the above rootDSE search, but deals with AD Netlogon parameters rather than LDAP parameters.
Seeing an occassional CLDAP ping from any AD member to your DCs is normal (as long as their payload makes sense, and as long as it's not a flood of requests).

Will AD calls automatically switch to LDAPS if unsigned LDAP on port 389 is disabled?

Does anyone know if calls to create a new PrincipalContext will automatically switch to LDAPS from LDAP when Microsoft releases its AD security update in March? We have created a VB.Net security library for our corporate applications that instantiates the object like below, with no explicit reference to port 636 in the domain string. I have tested the library with Wireshark running, and I only see unsigned LDAP (port 389) traffic, but we have both ports enabled, so I don't know if it will automatically switch to LDAPS.
Return New PrincipalContext(ContextType.Domain, "my.corp.domain", container, Config.ADUser, Config.ADPass)
It will not switch to LDAPS if normal LDAP doesn't work. You have to specify LDAPS explicitly by passing the LDAPS port as part of the domain name: "my.corp.domain:636"
That said, I haven't read anything to suggest that Microsoft will be disabling access to the LDAP port entirely. From what I understand, the issue is only with how the requests are authenticated. Port 389 will continue to function.
Actually, the change in March won't change anything at all. You can read more about it here, which says:
March 2020 update will only add some new functionalities and make no changes, giving Customers more time to fix issues.

Kerberos API throws error while initializing and renewing credentials

I'm using kerberos 1.5.0.3 api to develop an authentication system similar to kinit command.
I have two systems, one which has only IPv4 and the second one having both IPv4 and IPv6 (but IPv6 is unconfigured on this client, but configured on server)
This functions works fine on the first machine and doesn't work on the second machine.
The first type of error when kerberos cache is not present is thrown by krb5_get_init_creds_password: 96C73ADC
When I manually do kinit and suppose the ticket is valid, then I try stuff out I get the error 96C73AB9 by the krb5_get_renewed_creds() call.
I referred to the error codes here: Kerberos Error Codes
Any help is much appreciated even though I'm familiar with Kerberos API, this is my first attempt in writing code which will work on multiple kinds of environments.

Kerberos: kvno is '1' in client tickets

We're configuring SSO for our web app for a customer, but unfortunately we don't have access to the domain controller (one more reason why we don't do more experimenting to check our assumptions). So, we asked to run ktpass.exe and prepare .ktpass file to use for our server configuration.
The issue we are facing is "specified version of key is not available".
I looked up the keytab file (knvo = 5), and checked out the traffic with Wireshark on our web server:
As you can see, kvno = 1 in AP-REQ ticket. I suppose that it's the right ticket to check kvno version.
I know there're compatibility issues with Windows 2000 domain (/kvno 1 must be used for Windows 2000 domain compatibility), but we are said to deal with Windows 2008R2 server (and I can see the value msDS-Behavior-Version = 4 for our domain controller, which matches 2008R2!).
Is there anything like W2K domain mode we are facing with?
Would explicit kvno=1 help to resolve the issue? I.e., ktpass.exe [..] /kvno 1
EDIT #1
The problem was about incorrectly specified SPN. It was HTTP/computer_name#DOMAIN.COM instead of using fully-qualified domain name. This would only work if WINS were enabled, but it turned out it wasn't.
After generating keytab with the correct SPN, everything works fine, and kvno sent according to actual account value.
Will kindly accept answer that explains the effect I observed.
I do not know the internals well, but MIT Kerberos clients do forward resolution of the hostname part of a host-based service principal to canonicalize the hostname. In my experience if the name does not resolve it does affect Kerberos auth. When I setup service accounts for SQL Server to do Kerberos I always have to register an SPN with the host name and the fully qualified domain name because different SQL components seem to use different resolution methods.
In a very basic network topology WINS would be able to resolve the name. Even without WINS though, the NetBIOS service would be able to resolve the hostname. WINS and NetBIOS rely heavily on broadcasts, so if your webserver is on a different subnet, NetBIOS name resolution would fail, and WINS too if not configured correctly. Also Windows need to use the TCP/IP NetBIOS Helper service.
The problem was about incorrectly specified SPN. It was HTTP/computer_name#DOMAIN.COM instead of using fully-qualified domain name. This would only work if WINS were enabled, but it turned out it wasn't.
After generating keytab with the correct SPN, everything works fine, and kvno sent according to actual account value.
Will kindly accept answer that explains the effect I observed.

TCP Connections to Postgres Secure? SSL Required?

Good morning,
I was going through the Postgresql configuration files, and recently noticed that there is an ssl option. I was wondering when this is required.
Say if you have an app server and a database server - not running inside a private network. If a user tries to log in, if SSL is not enabled will the app server transmit the user's password in cleartext to the database when looking up if it is a valid username/password?
What is standard practice here? Should I be setting up my DB to use SSL?
If that is the case, is there any difference in the connection settings in config/database.yml in my Rails app?
Thanks!
Like for other protocols, using SSL/TLS for PostgreSQL allows you to secure the connection between the client and the server. Whether you need it depends on your network environment.
Without SSL/TLS the traffic between the client and the server will be visible by an eavesdropper: all the queries and responses, and possibly the password depending on how you've configured your pg_hba.conf (whether the client is using md5 or a plaintext password).
As far as I'm aware, it's the server that requests MD5 or plaintext password authentication, so an active Man-In-The-Middle attacker could certainly downgrade that and get your password anyway, when not using SSL/TLS.
A well-configured SSL/TLS connection should allow you to prevent eavesdropping and MITM attacks, against both passwords and data.
You can require SSL to be used on the server side using sslhost in pg_hba.conf, but that's only part of the problem. Ultimately, just like for web servers, it's up to the client to verify that SSL is used at all, and that it's used with the right server.
Table 31-1 in the libpq documentation summarises the levels of protection you get.
Essentially:
if you think you have a reason to use SSL, disable, allow and prefer are useless (don't take "No" or "Maybe" if you want security).
require is barely useful, since it doesn't verify the identity of the remote server at all.
verify-ca doesn't verify the host name, which makes it vulnerable to MITM attacks.
The one you'll want if security matters to you is verify-full.
These SSL mode names are set by libpq. Other clients might not use the same (e.g. pure Ruby implementation or JDBC).
As far as I can see, ruby-pg relies on libpq. Unfortunately, it only lists "disable|allow|prefer|require" for its sslmode. Perhaps verify-full might work too if it's passed directly. However, there would also need a way to configure the CA certificates.
Considering data other than the password. If you use or not i pretty much a security posture issue. How safe do you need your system to be? If the connection is just over your private network then you anyone on that network can listien in. If that is acceptable that dont use SSL, I not enable it. If the connection is ove r internet SSL should be enable.
As #Wooble says. You should never send the password as cleartext in the first place you have a problem. The stanard solution in this case is to store a hash in the database and only send the hash for validation.
Here is som link about the rails part

Resources