LDAP

Authentication

Bind operations are used to authenticate clients to the directory server.

Active Directory supports simple, SASL and Sicily authentication mechanisms.

Logo[MS-ADTS]: AuthenticationMicrosoftLearn

When an application binds to an object in the directory, the access privileges that the application has to that object are based on the user context specified during the bind operation. For the binding functions and methods ADsGetObject, ADsOpenObject, GetObject, IADsOpenDSObject::OpenDSObject, an application can implicitly use the credentials of the caller, explicitly specify the credentials of a user account, or use an unauthenticated user context (Guest).

LogoAuthentication (AD DS) - Win32 appsMicrosoftLearn

Simple Bind

Anonymous Authentication

The legitimate use case for this is LDAP configuration discovery.

Anonymous authentication allows anyone to fetch the root of a directory server information tree, by the Get-ADRootDSE PowerShell command for example.

rootDSE is Defined as the root of the directory data tree on a directory server and provides data about the directory server.

If fLDAPBlockAnonOps is false, anonymous users can perform any LDAP operation, subject to access checks that use the ACL mechanisms described in this section. Refer to [MS-ADTS] - Authorization.

Microsoft Learn - AD Schema RFC 4513 - Anonymous Authentication Microsoft Learn - Get-ADRootDSE Devolutions - Why Active Directory LDAP Unauthenticated Binds Should Be Disabled, and How to Disable It

Unauthenticated Authentication

It is possible to disable LDAP unauthenticated binds starting from Windows server 2019.

Many servers require that if an empty password is provided then an empty DN must also be given now.

CVE - Related vulnerability RFC 4513 - Unauthenticated Authentication Lithnet - Disabling Unauthenticated Binds in Active Directory

Logo[MS-ADTS]: Supported Authentication MethodsMicrosoftLearn

SASL Authentication

Simple authentication and security layer. SASL can use other security layer frameworks like Kerberos for authentication.

Logo[MS-ADTS]: SASL AuthenticationMicrosoftLearn

Searching in AD

Searching in AD is a matter of

  1. finding a Domain Controller (DC),

  2. binding to the object where the search should begin in the directory,

  3. submitting a query, and

  4. processing the results.

LogoSearching in Active Directory Domain Services - Win32 appsMicrosoftLearn

Binding

In Active Directory Domain Services, the act of associating a programmatic object with a specific Active Directory Domain Services object is known as binding.

Name in Bind Request

Active Directory accepts several forms of name in the name field of the BindRequest.

  1. The DN of the object

  2. The user principal name (UPN) of the object.

  3. The NetBIOS domain name, followed by a backslash (""), followed by the value of the sAMAccountName attribute

  4. The canonical name of the object.

  5. The value of the objectGUID attribute

  6. The value of the displayName attribute

  7. A value of the servicePrincipalName attribute

  8. A value V that, when the MapSPN(V, M) algorithm of [MS-DRSR] section 4.1.4.2.19 is applied to it, corresponds to a value of the servicePrincipalName attribute of the object. M is the value of the sPNMappings attribute of the nTDSService object.

  9. The value of the objectSid attribute

  10. A value from the sIDHistory attribute

  11. The canonical name of the object in which the rightmost forward slash (/) is replaced with a newline character (\n).

If the name field of the BindRequest maps to a single object using the attempted name form, the password on that object is checked.

APIs

The method for programmatically binding to an Active Directory object will depend on the programming technology that is used.

Programming technologyFor more information

Active Directory Service Interfaces

Binding to an ADSI Object

Lightweight Directory Access Protocol

Establishing an LDAP Session

System.DirectoryServices

Binding to Directory Objects

LogoBinding to Active Directory Domain Services - Win32 appsMicrosoftLearn

ADSI

Active Directory Service Interfaces (ADSI) is a set of COM interfaces used to access the features of directory services from different network providers.

Services can publish themselves in a directory, clients can use the directory to find the services, and both can use the directory to find and manipulate other objects of interest.

Microsoft Learn - Active Directory Service Interfaces

LDAP

LDAP is the only system-supplied Active Directory Service Interfaces (ADSI) provider that supports directory searching.

System.DirectoryServices

LogoDirectorySearcher Class (System.DirectoryServices)MicrosoftLearn

Authorization

Active Directory provides access control, the mechanisms LDAP security model does not include, in the form of access control lists (ACLs) on directory objects.

Anonymous User

If the fLDAPBlockAnonOps heuristic of the dSHeuristics attribute (see section 6.1.1.2.4.1.2) is true, anonymous (unauthenticated) users are limited to performing rootDSE searches and binds. If fLDAPBlockAnonOps is false, anonymous users can perform any LDAP operation, subject to access checks that use the ACL mechanisms.

Tools

ldapsearch

Here we use ldapsearch with anonymous authentication to fetch the roo. of a directory server information tree.

$ ldapsearch -H ldap://<IP> -x -s base -b ''

C#

Build LDAP filter to look for users with SPN values registered for current domain.

$ldapFilter = "(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"

$results = $search.FindAll()

$Results = foreach ($result in $results)
{
	$result_entry = $result.GetDirectoryEntry()
 
	$result_entry | Select-Object @{
		Name = "Username";  Expression = { $_.sAMAccountName }
	}, @{
		Name = "SPN"; Expression = { $_.servicePrincipalName | Select-Object -First 1 }
	}
}
 
$Results

Netwrix - Use DirectorySearcher to get account with SPN Microsoft Learn - DirectorySearcher Class

Usage

Third-party Service

Third-party applications that integrate with AD usually use LDAP to authenticate users.

These services often store their AD credential in plain text in configuration files.

Reference

Netwrix - LDAP Reconnaissance

PreviousDomain ServiceNextAD Objects

Last updated