MicrosoftMicrosoftWhy Microsoft don't mention in any place anything about the affect of Channel Binding enforcement on Simple Bind authentications over LDAPS?
I ran some internal tetst with LDP.exe and other applications and it looks like as long as I'm using LDAPS, channel binding doesn't have any impact on simple authentication requests even though the CBT is not sent when using Simple Bind.
My test environment included the following setup -
1. A server with LDP tool installed
2. A domain controller configured to enforce signing and channel binding
3. A load balancer configured as "SSL Bridging" acting as a proxy to simulate a MITM.
With simple bind over SSL, everything worked (no CBT is sent in that case so the connection is potentially vulnerable to MITM attacks)
With SASL binds the channel binding token was sent as part of the internal authentication mechanism that was used -
With NTLM the CBT is a hash derived from the server certificate (TLS certificate) and is sent as part of the NTLM response attributes
With DIGEST the CBT is also a hash derived from the server certificate and is sent as part of the digest information sent to the server
With Kerberos I think that the CBT is the requested SPN
SASL layer by itself doesn't include any CBT. It's the underlying protocols/mechanisms that are implemented within SASL that send the CBT.
So my conclusions are that Microsoft enforce the Channel Binding only for SSPI authentication.
Simple Binds don't use any SSP, it's just a plain user and password, so the underlying mechanism at the server side that authenticates simple binds doesn't enforce channel binding.
Can anyone confirm or correct what I just said?
I'll be glad to see some formal Microsoft documents on that.
