-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to bind when DC with ldap signing +channel binding enabled #46
Comments
I pushed a small change in the code that should give you more insight about why the bind failed. Can you checkout the latest version locally and give it another shot ? Most likely, your LDAP server requires you to bind over LDAPS, give it a try by changing your url to |
Check it again, I have added even more verbosity, you should know have an understandable slug on why the bind failed, on top of this verbose error message; |
@BastienFaure same error. I believe it is necessary to update the LDAP library, similar to what has been done in the Certipy project (https://github.com/ly4k/Certipy/blob/2780d5361121dd4ec79da3f64cfb1984c4f779c6/certipy/lib/ldap.py#L123) |
It says that you have invalid credentials. How are you authenticating exactly ? |
Username + domain + password. |
Same issue here... I also use correct credentials: domain + username + password and I get the following error message: |
are you able to bind to the LDAP server using other tools ? If the server returns |
I was on a hardenned environment that I can't access anymore at the moment but I was 100% confident about my credentials as the same credz were working with other tools. However, the tools from impacket framework were not working either. I will try to create a similar lab environement and conduct some tests using ldeep to reproduce the issue and I will let you know if I am able to reproduc it. |
What tools did work ? Do you an example of command you did run and completed successfully ? |
The credentials works through the SMB protocol or using Powershell on a windows machine, so it is not an issue regarding credentials but maybe the way ldap library that manage ldap connection and that should manage channel binding. I found this ldap3 lib and channel binding this article and
|
For reproduce this problem, enable ldaps signing and channel binding in your domain controller. |
I found this customized ldap3 lib for ldap-channel-binding domain controller (not tested yet, just sharing info that can be useful) : customized ldap3 lib This library is used in another project that must deal with channel binding: From the Readme of the project, we can find this information about dealing with channel-binding: |
PR #86 should solve this issue. |
Closing this issue. |
Unable to establish a connection using valid credentials when LDAP signing and channel binding are enabled
The text was updated successfully, but these errors were encountered: