mdsecresearch / LyncSniper

LyncSniper: A tool for penetration testing Skype for Business and Lync deployments
303 stars 63 forks source link

Direct login to WLID is not allowed for this federated namespace #2

Closed ghost closed 6 years ago

ghost commented 7 years ago

Hello,

Tried to use it against my o365 setup and I'm getting the error "Direct login to WLID is not allowed for this federated namespace".

Did you ran against this issue ? Is anything can be done ?

Full XML Output:

<?xml version="1.0" encoding="utf-8"?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmln
s:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices
/SOAPFault"><S:Body><S:Fault><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:FailedAuthentication</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Authentication Failure</S:Text></S
:Reason><S:Detail><psf:error><psf:value>0x80048821</psf:value><psf:internalerror><psf:code>0x80047860</psf:code><psf:text>Direct login to WLID is not allowed for this federated namespace
</psf:text></psf:internalerror></psf:error></S:Detail></S:Fault></S:Body></S:Envelope>
dmchell commented 7 years ago

I haven't encountered this issue - does your tenant have it's own IDP?

ghost commented 7 years ago

Yes, I am using Okta. Any idea on how S4B handle the login process ? Otherwise, I'll sniff the communication and see if I can adapt it.

dmchell commented 7 years ago

I haven't come across Okta but if you have your own IDP you'll need to implement something custom I suspect unfortunately. It shouldn't be too complicated - just mitm it like you say, then extend the powershell script with a new authenticate method.

dmchell commented 7 years ago

If you get this working, we accept pull request btw 👍