Windows DC reports event ID 3039 or 3075 with "Try Channel Binding For AD LDAP Connections" enabled

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 2,040

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
CIFS/SMB
LDAPS or START-TLS
Channel Binding

Issue

Starting ONTAP 9.10.1 support for channel-binding for AD-LDAP over TLS was introduced
Try Channel Binding For AD LDAP Connections is enabled by default.

cluster1::> cifs security show -vserver svm1

Vserver: svm1

Kerberos Clock Skew: - minutes Kerberos Ticket Age: - hours Kerberos Renewal Age: - days Kerberos KDC Timeout: - seconds Is Signing Required: - Is Password Complexity Required: - Use start_tls for AD LDAP connection: false Is AES Encryption Enabled: false LM Compatibility Level: lm-ntlm-ntlmv2-krb Is SMB Encryption Required: - Client Session Security: none SMB1 Enabled for DC Connections: false SMB2 Enabled for DC Connections: system-default LDAP Referral Enabled For AD LDAP connections: false Use LDAPS for AD LDAP connection: true Encryption is required for DC Connections: false AES session key enabled for NetLogon channel: false Try Channel Binding For AD LDAP Connections: true

In this scenario, even with channel binding enabled, the Windows DC still reports event ID 3039:

The following client performed an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation.

Event ID 3075 can also be reported :

The following client performed an LDAP bind over SSL/TLS and did not provide Channel Binding Information. When this directory server is configured to enforce validation of Channel Binding Tokens, this bind operation will be rejected. Client IP address: 10.0.0.1:46863 Identity the client attempted to authenticate as: DOMAIN\USERNAME$ Client supports channel binding:FALSE Client permitted in when supported mode:TRUE Audit result flags:0x42 For more details and information on channel binding token validation for LDAPS, please see https://go.microsoft.com/fwlink/?linkid=2102405. > "The following client performed an LDAP bind over SSL/TLS and did not provide > Channel Binding Information. When this directory server is configured to > enforce validation of Channel Binding Tokens, this bind operation will be > rejected."

Extract from SECD.LOG during the 3075 event show the channel binding is not occurring :

debug: Connecting to LDAP (Active Directory) server ldap.domain.com (10.0.0.4) { in addStartConnectionLog() at src/connection_manager/secd_connection_manager.cpp:525 } debug: Initializing for LDAPS { in ldapInitialize() at src/connection_manager/secd_connection.cpp:2311 } debug: Attemping a SASL bind as "USERNAME$@DOMAIN.COM" { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:981 } debug: Creating SPN using serverRealm [ASBNET.AT] { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1026 } debug: LDAP security level is NONE, attempting bind using SPNEGO { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1061 } debug: Found matching cache 'cc:C:26:0' { in secd_ccache_resolve() at src/utils/secd_krb_ccache.cpp:1052 } info : [krb5 context 165AF200] Getting credentials USERNAME$@DOMAIN.COM -> cifs/ldap.domain.com@ using ccache NETAPPCC:cc:C:26:0