Wednesday, 21 December 2011

LDAP authentication....

LDAP is primarily a directory access protocol.
It does have a primitive authentication mechanism called a simple bind where usernames and passwords are sent using clear text.

However, LDAP also includes an extensible authentication framework called Simple Authentication and Security Layer (SASL).
The rootDSE includes an attribute called supportedSASLMechanisms that lists the supported SASL features.
AD supports Kerberos v5 and NTLM SASL mechanisms.
GSSAPI = kerberos
GSS-SPNEGO = NT negotiate (so still probably kerberos).
There is also Digest and External for client certificate authentication.

Therefore kerberos is often used by an application during an LDAP bind operation.

Apparently scripts using GetObject("LDAP://...") also use GSS-SPNEGO authentication using current user's credentials, so will use kerberos where possible, though I have not tested this myself.

Thursday, 15 December 2011

Unreliability of logonserver variable

When referencing this variable, be aware that it is not updated, so may not show where the secure channel is currently with.
So, you may log on and find that the initial logon is against DC2. However, at some point during the session, the secure channel may be established with DC1. However, the logonserver variable will not be updated to show this.
Therefore, nltest /sc_query: is far more reliable.