Re: Help Understanding LDAP Variants

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 31 Dec 2006 18:39:07 -0600

Yep, that is SSPI encryption. It is also supported using NTLM auth on
Windows Server 2003 (and on Windows XP as the client OS where this feature
was introduced). I'm not sure about non-MS LDAP support for it, but I'm
glad to hear that it can be made to work at least with Kerberos. That's
cool. :)

There is also a complimentary signing/integrity feature built into this. In
newer versions, many of the MS tools are starting to take advantage of this
feature by default.

The nice thing about this feature is that it is built in to Windows, so it
doesn't require the deployment of SSL certificates like SSL does.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Nelson" <paulnelsontx@xxxxxxxxx> wrote in message
news:C1BD7B07.575A9%paulnelsontx@xxxxxxxxxxxx

One other thing. You can get encrypted LDAP without using SSL by using
Kerberos. Using open ldap and cyrus SASL, I have made this work.

Paul Nelson
Thursby Software Systems, Inc.

in article OrEKLJDLHHA.1008@xxxxxxxxxxxxxxxxxxxx, Joe Kaplan at
joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx wrote on 12/30/06 10:47 AM:

The other thing I'd add is that none of the MS tools use LDAPS by default
because by default, DCs don't have SSL certs installed that enable LDAPS.
The domain admin must actually do something to provision those certs.
Many
applications can use LDAPS, including some MS tools, but it is not
usually
an expected thing.

Some third party applications essentially require LDAPS for security
purposes because they cannot use the AD secure binding protocol that uses
Kerberos or NTLM to authenticate and instead rely on LDAP simple bind
which
passes credentials in plaintext.

Joe K.

Prev by Date: Re: Group policy & user profile login script execution
Next by Date: RE: Target Principal name incorrect
Previous by thread: What are the less obvious effects of adding a PC to an AD domain?
Next by thread: Re: Help Understanding LDAP Variants
Index(es):
- Date
- Thread

Relevant Pages

Re: LDAP for Windows XP
... You can't authenticate local machine users with LDAP. ... Joe Kaplan-MS MVP Directory Services Programming ... I have a windows application that requires security login and I would ...
(microsoft.public.dotnet.security)
Re: How to remove the parasite, popupsearches.com?
... See Tip to clean up your PC. ... What to Know Before You Download and Install Windows XP Service Pack 2 ... Why you should use a computer firewall.. ... The system restore feature is a new one - first appearing in Windows ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Important Files Security, etc.
... "HiLite" feature exposes differences between the two files. ... or changed files in your hard disk drive. ... Comes with a simple procedure to backup and restore your Windows system ... "PKZIP/UNZIP" for Dos will restore the Windows system to exactly the way ...
(alt.computer.security)
Re: The Case is Altered
... daisy chaining a monitor's power supply. ... by Symantec Ghost cloning the original disc to a new disc. ... a swivel feature. ... Windows Explorer won't let you do. ...
(uk.local.surrey)
The Case is Altered
... daisy chaining a monitor’s power supply. ... by Symantec Ghost cloning the original disc to a new disc. ... a swivel feature. ... Windows NT, see if you can cadge copies of files WINFILE.EXE, ...
(uk.local.surrey)