C# LDAP SSL Logon issue on F5 VIP name when LdapEnforceChannelBinding=1 or 2

618 views Asked by At

I have C# Windows Form application to test the LDAP SSL authentication. Here is the code. First, I made a function.

using System.DirectoryServices;

private bool VerifyDomainUserUsignLDAP(string UserName, string Password, string Domain,string mode, out string message)
    {
                bool retVal = false;

                message = null;

                DirectoryEntry de;

                try
                {   if (mode =="Plain")
                        //plain mode
                        de = new DirectoryEntry(Domain, UserName, Password);
                    else
                        //SSL mode
                        de = new DirectoryEntry(Domain, UserName, Password,
                            AuthenticationTypes.Secure | AuthenticationTypes.SecureSocketsLayer);


                    DirectorySearcher ds = new DirectorySearcher(de);
                    SearchResult sr= ds.FindOne();


                    lblResult.Text = "Authentication Passed! " + sr.ToString();
                    retVal = true;

                }
                catch (Exception ex)
                {
                    retVal = false;
                    lblResult.Text = ex.Message;
                }
                return retVal;
    }

My problem is the invoke.

Share with some background first. We have multiple domain control servers (Windows). dcserver001.mydomain.com is one of them. (of course, we have dcserver002.mydomain.com, dcserver003.mydomain.com, etc). each server provides LDAPS service. And we created a VIP name ldap.mydomain.com in F5 (Load balance), we put all above dc servers into the Load balance. All DC servers are Windows servers.

Days before, if I use following line to invoke above function for LDAP authenticate on the VIP name - ldap.mydomain.com. For e.g.

    VerifyDomainUserUsignLDAP("mydomain\\myuserid", "mypassword", 
@"LDAP://ldap.mydomain.com", "SSL" ,out Message);

It always worked fine and the user was authenticated.

However, some days before, our LDAP service team made a registry change (LdapEnforceChannelBinding) on each ldap servers to

enhance the security based on MS suggestion.

In short, they changed following key value from 0 to 2 Path: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/NTDS/Parameters Key: LdapEnforceChannelBinding

Here is detail page about the setting on MS web site. Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure https://support.microsoft.com/en-hk/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

After that, I noticed my above function stop working.

i.e. if I use same line to invoke above function for LDAP authenticate. For e.g.

    VerifyDomainUserUsignLDAP("mydomain\\myuserid", "mypassword",
 @"LDAP://ldap.mydomain.com", "SSL" ,out Message);

It always returned exception "Logon failure: unknown user name or password." (I promise password and user name were correct.)

Then, I did further investigation.

I tried to use following line to invoke above function for LDAP authenticate on any individual dc server, e.g.

dcserver001.mydomain.com.

    VerifyDomainUserUsignLDAP("mydomain\\myuserid", "mypassword", 
@"LDAP://dcserver001.mydomain.com", "SSL" ,out Message);

It worked fine as well.

I actually tested all individual dc servers one by one, thwy were all working.

So, it looks like the ldap request with same invoke parameters works well on the individual dc server, but it doesn't work on the VIP name.

Then, I asked the ldap server team to rollback to LdapEnforceChannelBinding change to value 0. Then, I re-tested ldap against both individual server and VIP name, both worked.

I checked with our metwork team and got got some more information as follwoing. They said this won't work with LDAPS VIPs because the SSL channel from client is terminated on F5, and reestablished to DC. the reason why it works directly to the dc is because its one continuous packet. The update addresses this vulnerability by incorporating support for Extended Protection for Authentication security feature, which allows the LDAP server to detect and block such forwarded authentication requests once enabled.

What I need help is - is there anyone here encountered the similar ldap ssl logon issue against F5 VIP and with the LdapEnforceChannelBinding registry value = 1 or 2? If LdapEnforceChannelBinding registry value = 1 or 2 on the LDAP servers, what changes need to be done to resolve above LDAPS logon issue?

Thanks a lot!

Jun

0

There are 0 answers