LDAP is primarily a directory access protocol.
It does have a primitive authentication mechanism called a simple bind where usernames and passwords are sent using clear text.
However, LDAP also includes an extensible authentication framework called Simple Authentication and Security Layer (SASL).
The rootDSE includes an attribute called supportedSASLMechanisms that lists the supported SASL features.
AD supports Kerberos v5 and NTLM SASL mechanisms.
GSSAPI = kerberos
GSS-SPNEGO = NT negotiate (so still probably kerberos).
There is also Digest and External for client certificate authentication.
Therefore kerberos is often used by an application during an LDAP bind operation.
Apparently scripts using GetObject("LDAP://...") also use GSS-SPNEGO authentication using current user's credentials, so will use kerberos where possible, though I have not tested this myself.
Showing posts with label LDAP. Show all posts
Showing posts with label LDAP. Show all posts
Wednesday, 21 December 2011
Thursday, 4 February 2010
Old password still valid for an hour
Not sure why I haven't blogged this one before.
With Windows Server 2003 Sp1, MS decided to modify NTLM authentication behaviour (this also affects LDAP authentication) so that a user can use their old password for an hour to access the network after it has changed.
This is to allow things like service accounts to still be able to login while the new password propagates.
However, I've never been convinced that the case is there (why does kerberos not need it?).
To disable this feature, you need to modify HKLM\System\CurrentControlSet\Control\LSA\OldPasswordAllowedPeriod. This is a DWORD value.
Setting it to 0 means that you disable the use of old passwords.
If this value is not in the registry the default of 60 minutes is used.
See kb906305 for further details.
With Windows Server 2003 Sp1, MS decided to modify NTLM authentication behaviour (this also affects LDAP authentication) so that a user can use their old password for an hour to access the network after it has changed.
This is to allow things like service accounts to still be able to login while the new password propagates.
However, I've never been convinced that the case is there (why does kerberos not need it?).
To disable this feature, you need to modify HKLM\System\CurrentControlSet\Control\LSA\OldPasswordAllowedPeriod. This is a DWORD value.
Setting it to 0 means that you disable the use of old passwords.
If this value is not in the registry the default of 60 minutes is used.
See kb906305 for further details.
Subscribe to:
Comments (Atom)