Windows DC でイベント ID 3039 または 3075 が「Try Channel Binding For AD LDAP Connections」が有効な状態でレポートされる

最後の更新
PDFとして保存

Views:: 88

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

環境

ONTAP 9
CIFS / SMB
LDAPSまたはSTART-TLS
チャネルバインディング

問題

ONTAP 9.10.1以降、AD-LDAP over TLSのチャネルバインディングのサポートが導入されました
Try Channel Binding For AD LDAP Connectionsはデフォルトで有効です。

cluster1::> cifs security show -vserver svm1

Vserver: svm1

Kerberos Clock Skew: - minutes Kerberos Ticket Age: - hours Kerberos Renewal Age: - days Kerberos KDC Timeout: - seconds Is Signing Required: - Is Password Complexity Required: - Use start_tls for AD LDAP connection: false Is AES Encryption Enabled: false LM Compatibility Level: lm-ntlm-ntlmv2-krb Is SMB Encryption Required: - Client Session Security: none SMB1 Enabled for DC Connections: false SMB2 Enabled for DC Connections: system-default LDAP Referral Enabled For AD LDAP connections: false Use LDAPS for AD LDAP connection: true Encryption is required for DC Connections: false AES session key enabled for NetLogon channel: false Try Channel Binding For AD LDAP Connections: true

このシナリオでは、チャネルバインドが有効になっている場合でも、Windows DC はevent ID 3039を報告します。

The following client performed an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation.

イベント ID 3075 も報告できます：

The following client performed an LDAP bind over SSL/TLS and did not provide Channel Binding Information. When this directory server is configured to enforce validation of Channel Binding Tokens, this bind operation will be rejected. Client IP address: 10.0.0.1:46863 Identity the client attempted to authenticate as: DOMAIN\USERNAME$ Client supports channel binding:FALSE Client permitted in when supported mode:TRUE Audit result flags:0x42 For more details and information on channel binding token validation for LDAPS, please see https://go.microsoft.com/fwlink/?linkid=2102405. >"The following client performed an LDAP bind over SSL/TLS and did not provide > Channel Binding Information. When this directory server is configured to > enforce validation of Channel Binding Tokens, this bind operation will be > rejected."

3075イベント中の SECD.LOG からの抽出は、チャネルバインディングが発生していないことを示しています：

debug: Connecting to LDAP (Active Directory) server ldap.domain.com (10.0.0.4) { in addStartConnectionLog() at src/connection_manager/secd_connection_manager.cpp:525 } debug: Initializing for LDAPS { in ldapInitialize() at src/connection_manager/secd_connection.cpp:2311 } debug: Attemping a SASL bind as "USERNAME$@DOMAIN.COM" { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:981 } debug: Creating SPN using serverRealm [ASBNET.AT] { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1026 } debug: LDAP security level is NONE, attempting bind using SPNEGO { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1061 } debug: Found matching cache 'cc:C:26:0' { in secd_ccache_resolve() at src/utils/secd_krb_ccache.cpp:1052 } info : [krb5 context 165AF200] Getting credentials USERNAME$@DOMAIN.COM -> cifs/ldap.domain.com@ using ccache NETAPPCC:cc:C:26:0