How to configure for strengthened AD LDAP

oetiker / mojolicious-plugin-spnego

Provide SPNEGO NTLM authentication to Mojolicious applications

Other

2 stars 4 forks source link

How to configure for strengthened AD LDAP #6

Closed plk closed 3 years ago

plk commented 3 years ago

How to configure things when AD servers are updated with the GPO policy "Require NTLMv2 session security, Require 128-bit encryption". This was done recently and the plugin stopped working. I tried to enable TLS and this stops the error which mentions this particular change but doesn't work and I suspect that something need to be done to address this server change?

oetiker commented 3 years ago

This in itself should be fine ... you just need to user the ldaps:// protocol .. BUT there is a bigger problem which can not be worked around: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/ldap-session-security-settings-requirements-adv190023

if you enable LdapEnforceChannelBinding, then AD will verify that the ntlm token is generated by the same process that opened the ssl connection to AD ... and thus will prevent this approach from working.

plk commented 3 years ago

Just to confirm, that means that the SPNEGO plugin can't be used at all if this is enabled server-side?

oetiker commented 3 years ago

The purpose of LdapEnforceChannelBinding is to make sure that the ldap connection originates from the same place as the ntlm token ... this setting will prevent this approach from working ...

I will be looking into porting https://metacpan.org/pod/release/DRUOSO/Catalyst-Authentication-Credential-GSSAPI-v0.0.5/lib/Catalyst/Authentication/Credential/GSSAPI.pm to mojolicious soo this should provide an alternate method to achieve sort of the same ... with the limitation that your machine must be setup with kerberos.