Re: Oh.... I'm just wondering who's seen this stumper...

Regarding the encrypted traffic, based on what you said before, it looks
like they are using Windows SASL bind (GSS-SPNEGO provider) for auth, so
they are probably using SSPI encryption as well (not SSL). Can you get the
tool to disable that? Perhaps they have a config setting that allows it to
be turned off. It is just a flag you pass to the LDAP API.

That would explain why you only see the bind traffic.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Joe_SMS" <jw_nagy@xxxxxxxxxxx> wrote in message
news:1154376194.707814.203110@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Joe..... I turned the capture up to capture everything from
everyone.... at the time of the failure audit... I see nothing about
errors.... just bind request, dn-null and bind result... then all the
other ldap stuff in between.


Joe_SMS wrote:
I caught one....I thought but all the entries for the time of the
failure audit.... only msgid= messages I see are bind requests and bind
results... at the time of the failure audit. Nothing about the error.
TCP port 389 right ? I see the ldap gss-api encrypted payload. ldap
[ack] bull crap, Shouldn't it be the same time to the second of the
failure audit ??? what am I missing. Now that Iv'e caught them... I
don't see it in the trace....


301 830
0842
Joe Richards [MVP] wrote:
Yeah that can suck. You might want to look at Ethereal, overall a
considerably better trace and trace analysis utility.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Joe_SMS wrote:
What an idiot... I forgot to raise the netmon buffer and missed 2
opportunities.... now I think i'm ready if I can get it to happen
again.... They still think its permissions..



Joe_SMS wrote:
Damn... I caught a failure audit. Per Joe's instructions, I
filtered
the capture to tcp port 389, but there's nothing in the trace at the
same time as the failure audit or any clue of an error. The
failure
again was on 3 attributes it does have write access to. It was
followed by another "write self" failure audit...

what happened to netmon.... it was running for an hour.... when I
saw
the failure audit. I stopped and saved the capture.... all the
capture
contained was data AFTER the failure....damn... how'd that happen



Joe Kaplan (MVP - ADSI) wrote:
Nope, not me. Popular name though. There's another Joe Kaplan at
my
company and at least 10 more in my city's phone book (not a small
city,
granted...).

I'm also not Joe Richards, although I too am the author on a book
about AD.
Mine is really a programming book targeting .NET developers though.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Joe_SMS" <jw_nagy@xxxxxxxxxxx> wrote in message
news:1154370398.688339.73710@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
If I had his code...oh I wish.... I'm just now begging them to run
it
so I can capture it... i'm setup. You guys will see it as soon as
I
do. He's driving me whack. Joe... are you the Joe that
works/worked
at the VA ? curious, names seems familiar.

Thanks

Joe Kaplan (MVP - ADSI) wrote:
It does with a simple bind. This is actually a requirement of
the LDAP
V3
spec.

It won't work with a secure (SASL) bind. You can try this in LDP
to see
how
it works.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx> wrote in message
news:OBs5i$EtGHA.4472@xxxxxxxxxxxxxxxxxxxxxxx
In news:uHDZKSosGHA.3832@xxxxxxxxxxxxxxxxxxxx,
Joe Richards [MVP] <humorexpress@xxxxxxxxxxx> stated, which I
commented
on
below:
There won't be a requirement to auth with say the UPN as any of
the
credential mechanisms will result in the same token, however,
if say
for instance the userid is specified with a blank password they
would
be authenticated as anonymous.
Thanks Joe. I didn't realize a blank password consitutes an
anonymous
attempt.

Ace





.

Relevant Pages

  • Re: Oh.... Im just wondering whos seen this stumper...
    ... It is SASL bind GSS-API Encrypted payload packets. ... Joe Kaplan wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... at the time of the failure audit. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD and Expired Password Checking and how to test?
    ... Like Joe said, the exact ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I reset the password for a user, and the password expires on ... I change the system date to 10/10/06, and try a bind, which fails. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Oh.... Im just wondering whos seen this stumper...
    ... Joe Kaplan wrote: ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services ... at the time of the failure audit. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Authentication
    ... Thanks Joe, that routine works. ... you need to use simple bind while with AD you ... If you just want to authenticate a user, you only need a bind operation. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Oh.... Im just wondering whos seen this stumper...
    ... You can use the email for this message or get me at joe at my domain of joeware.net. ... Joe Richards Microsoft MVP Windows Server Directory Services ... at the time of the failure audit. ...
    (microsoft.public.windows.server.active_directory)
Loading