C# code:
public void bindWithMs(string ldapServer, int ldapPort, string ldapUser, string ldapPassword)
{
var ldap = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(ldapServer, ldapPort);
using (var connection = new System.DirectoryServices.Protocols.LdapConnection(ldap))
{
connection.AuthType = System.DirectoryServices.Protocols.AuthType.Negotiate;
connection.Timeout = TimeSpan.FromSeconds(120);
connection.SessionOptions.ProtocolVersion = 3;
connection.SessionOptions.Signing = true;
connection.SessionOptions.Sealing = true;
connection.Credential = new System.Net.NetworkCredential(ldapUser, ldapPassword);
connection.Bind();
}
}
SASL bind requires the name to be in the form {user}@{domain}:
-c -l -s "192.168.0.123" -p "389" -u "Administrator@my.local" -w "1234@abc"
WireShark:
LDAP Request:
Lightweight Directory Access Protocol
LDAPMessage bindRequest(3) "<ROOT>" sasl
messageID: 3
protocolOp: bindRequest (0)
bindRequest
version: 3
name: <MISSING>
authentication: sasl (3)
sasl
mechanism: GSS-SPNEGO
credentials: 4e544c4d5353500001000000b78208e2000000000000000000000000000000000a00614a0000000f
GSS-API Generic Security Service Application Program Interface
NTLM Secure Service Provider
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
Negotiate Flags: 0xe20882b7, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Extended Session Security, Negotiate Always Sign, Negotiate NTLM key, Negotiate Lan Manager Key, Negotiate Seal, Negotiate Sign
1... .... .... .... .... .... .... .... = Negotiate 56: Set
.1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
..1. .... .... .... .... .... .... .... = Negotiate 128: Set
...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
.... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
.... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
.... ..1. .... .... .... .... .... .... = Negotiate Version: Set
.... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
.... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set
.... .... .0.. .... .... .... .... .... = Request Non-NT Session Key: Not set
.... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
.... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
.... .... .... 1... .... .... .... .... = Negotiate Extended Session Security: Set
.... .... .... .0.. .... .... .... .... = Negotiate 0x00040000: Not set
.... .... .... ..0. .... .... .... .... = Target Type Server: Not set
.... .... .... ...0 .... .... .... .... = Target Type Domain: Not set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
.... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set
.... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set
.... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
.... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
.... .... .... .... .... .... 1... .... = Negotiate Lan Manager Key: Set
.... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
.... .... .... .... .... .... ..1. .... = Negotiate Seal: Set
.... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
.... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
.... .... .... .... .... .... .... .1.. = Request Target: Set
.... .... .... .... .... .... .... ..1. = Negotiate OEM: Set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
Calling workstation domain: NULL
Calling workstation name: NULL
Version 10.0 (Build 19041); NTLM Current Revision 15
Major Version: 10
Minor Version: 0
Build Number: 19041
NTLM Current Revision: 15
[Response In: 15452]
Response:
Lightweight Directory Access Protocol
LDAPMessage bindResponse(4) success
messageID: 4
protocolOp: bindResponse (1)
bindResponse
resultCode: success (0)
matchedDN: <MISSING>
errorMessage: <MISSING>
serverSaslCreds: <MISSING>
[Response To: 15453]
[Time: 1.024000 milliseconds]
I tried to switch signing off with the following C# code:
connection.SessionOptions.Signing = false;
but it still in on in WireShark:
Lightweight Directory Access Protocol
LDAPMessage bindRequest(3) "<ROOT>" sasl
messageID: 3
protocolOp: bindRequest (0)
bindRequest
version: 3
name: <MISSING>
authentication: sasl (3)
sasl
mechanism: GSS-SPNEGO
credentials: 4e544c4d5353500001000000978208e2000000000000000000000000000000000a00614a0000000f
GSS-API Generic Security Service Application Program Interface
NTLM Secure Service Provider
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
Negotiate Flags: 0xe2088297, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Extended Session Security, Negotiate Always Sign, Negotiate NTLM key, Negotiate Lan Manager Key, Negotiate Sign, Request Target
1... .... .... .... .... .... .... .... = Negotiate 56: Set
.1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
..1. .... .... .... .... .... .... .... = Negotiate 128: Set
...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
.... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
.... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
.... ..1. .... .... .... .... .... .... = Negotiate Version: Set
.... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
.... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set
.... .... .0.. .... .... .... .... .... = Request Non-NT Session Key: Not set
.... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
.... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
.... .... .... 1... .... .... .... .... = Negotiate Extended Session Security: Set
.... .... .... .0.. .... .... .... .... = Negotiate 0x00040000: Not set
.... .... .... ..0. .... .... .... .... = Target Type Server: Not set
.... .... .... ...0 .... .... .... .... = Target Type Domain: Not set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
.... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set
.... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set
.... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
.... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
.... .... .... .... .... .... 1... .... = Negotiate Lan Manager Key: Set
.... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
.... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
.... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
.... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
.... .... .... .... .... .... .... .1.. = Request Target: Set
.... .... .... .... .... .... .... ..1. = Negotiate OEM: Set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
Calling workstation domain: NULL
Calling workstation name: NULL
Version 10.0 (Build 19041); NTLM Current Revision 15
[Response In: 7591]
Disabling LDAP signing on DC
There is no Negotiate signing in UI:
We use Registry:
PS C:\Users\Administrator> (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters").LDAPServerIntegrity
>>
1
PS C:\Users\Administrator> Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters `
>> LDAPServerIntegrity 0
PS C:\Users\Administrator> (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters").LDAPServerIntegrity
>>
0
PS C:\Users\Administrator> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
Configuring the client
PS C:\WINDOWS\system32> (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0").NtlmMinClientSec
536870912
PS C:\WINDOWS\system32> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
>> -Name NtlmMinClientSec `
>> -Value 0 `
>> -Type DWord
PS C:\WINDOWS\system32> (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0").NtlmMinClientSec
0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
-Name NtlmMinClientSec `
-Value 536870912 `
-Type DWord
Using ldapsearch on Ubuntu
sudo apt update
sudo apt install ldap-utils \
krb5-user \
libsasl2-modules-gssapi-mit
- ldap-utils — сам ldapsearch
- krb5-user — клиент Kerberos (kinit, krb5.conf)
- libsasl2-modules-gssapi-mit — SASL-модуль GSSAPI
ldapsearch -H ldap://my.local -Y GSSAPI -o sasl_secprops=none
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
WireShark:
But kinit worked:
kinit administrator@MY.LOCAL
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@MY.LOCAL
Valid starting Expires Service principal
11/27/25 17:15:53 11/28/25 03:15:53 krbtgt/MY.LOCAL@MY.LOCAL
renew until 11/28/25 17:15:46
kvno ldap/my.local
kvno: Server not found in Kerberos database while getting credentials for ldap/my.local@MY.LOCAL
cat /etc/krb5.conf
[libdefaults]
default_realm = MY.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MY.LOCAL = {
kdc = MY.LOCAL
admin_server = MY.LOCAL
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
Kerberos started to work better:
dmitriano@Lenovo16:~$ kdestroy
dmitriano@Lenovo16:~$ kinit administrator@MY.LOCAL
Password for administrator@MY.LOCAL:
dmitriano@Lenovo16:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@MY.LOCAL
Valid starting Expires Service principal
11/27/25 17:30:24 11/28/25 03:30:24 krbtgt/MY.LOCAL@MY.LOCAL
renew until 11/28/25 17:30:20
dmitriano@Lenovo16:~$ kvno ldap/myserver.my.local
ldap/myserver.my.local@MY.LOCAL: kvno = 5
But ldapsearch did not:
ldapsearch -H ldap://myserver.my.local -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
On DC:
setspn -L MYSERVER
Registered ServicePrincipalNames for CN=MYSERVER,OU=Domain Controllers,DC=my,DC=local:
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/myserver.my.local
TERMSRV/MYSERVER
TERMSRV/myserver.my.local
ldap/myserver.my.local/ForestDnsZones.my.local
ldap/myserver.my.local/DomainDnsZones.my.local
DNS/myserver.my.local
GC/myserver.my.local/my.local
RestrictedKrbHost/myserver.my.local
RestrictedKrbHost/MYSERVER
RPC/f2e9d2ec-472a-4d24-8a4c-05df46a77536._msdcs.my.local
HOST/MYSERVER/MY
HOST/myserver.my.local/MY
HOST/MYSERVER
HOST/myserver.my.local
HOST/myserver.my.local/my.local
E3514235-4B06-11D1-AB04-00C04FC2DCD2/f2e9d2ec-472a-4d24-8a4c-05df46a77536/my.local
ldap/MYSERVER/MY
ldap/f2e9d2ec-472a-4d24-8a4c-05df46a77536._msdcs.my.local
ldap/myserver.my.local/MY
ldap/MYSERVER
ldap/myserver.my.local
ldap/myserver.my.local/my.local
