Unable to bind when DC with ldap signing +channel binding enabled

[enj5oy]

Unable to establish a connection using valid credentials when LDAP signing and channel binding are enabled

[BastienFaure]

I pushed a small change in the code that should give you more insight about why the bind failed. Can you checkout the latest version locally and give it another shot ?

Most likely, your LDAP server requires you to bind over LDAPS, give it a try by changing your url to ldaps://192.168.0.4, it's just that we did not do a smart job by providing a generic error message.

[enj5oy]

@BastienFaure

[BastienFaure]

Check it again, I have added even more verbosity, you should know have an understandable slug on why the bind failed, on top of this verbose error message;

[enj5oy]

@BastienFaure same error. I believe it is necessary to update the LDAP library, similar to what has been done in the Certipy project (https://github.com/ly4k/Certipy/blob/2780d5361121dd4ec79da3f64cfb1984c4f779c6/certipy/lib/ldap.py#L123)

[BastienFaure]

It says that you have invalid credentials. How are you authenticating exactly ?

[enj5oy]

Username + domain + password.
I use correct credentials

[3ldidi94]

Same issue here... I also use correct credentials: domain + username + password and I get the following error message: Unable to bind to the LDAP server: invalidCredentials (80090346: LdapErr: DSID-0C0907FB, comment: AcceptSecurityContext error, data 80090346, v4f7c)

[BastienFaure]

are you able to bind to the LDAP server using other tools ? If the server returns invalidCredentials, then most likely your credentials are not working guys. I can't really do anything unless I can reproduce.

[3ldidi94]

I was on a hardenned environment that I can't access anymore at the moment but I was 100% confident about my credentials as the same credz were working with other tools. However, the tools from impacket framework were not working either. I will try to create a similar lab environement and conduct some tests using ldeep to reproduce the issue and I will let you know if I am able to reproduc it.

[BastienFaure]

What tools did work ? Do you an example of command you did run and completed successfully ?

[3ldidi94]

The credentials works through the SMB protocol or using Powershell on a windows machine, so it is not an issue regarding credentials but maybe the way ldap library that manage ldap connection and that should manage channel binding.

I found this ldap3 lib and channel binding this article and Certipy tool ask to install a patched ldap3 module to have it working :

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[-] Got error: To use LDAP channel binding, install the patched ldap3 module: pip3 install git+https://github.com/ly4k/ldap3

[enj5oy]

are you able to bind to the LDAP server using other tools ? If the server returns invalidCredentials, then most likely your credentials are not working guys. I can't really do anything unless I can reproduce.

For reproduce this problem, enable ldaps signing and channel binding in your domain controller.
https://4sysops.com/archives/secure-domain-controllers-with-ldap-channel-binding-and-ldap-signing/

[3ldidi94]

I found this customized ldap3 lib for ldap-channel-binding domain controller (not tested yet, just sharing info that can be useful) : customized ldap3 lib

This library is used in another project that must deal with channel binding:
pywerview

From the Readme of the project, we can find this information about dealing with channel-binding:
The version adds this PR by
@ThePirateWhoSmellsOfSunflowers
and this one by @CravateRouge.

[tiyeuse]

PR #86 should solve this issue.

[tiyeuse]

Closing this issue.