question

matteu31400 avatar image
0 Votes"
matteu31400 asked matteu31400 answered

Audit LDAPS connections

Hello,

I have more and more Active directory migration to do and lot of customer ignore if they have applications with LDAPS or not.
Is there a way to find all communications done with LDAPS protocol like it exists for ldap ?

Network listener on 636 port could be use but not really easy to use during several days...

If there is something to enable to see all source IP with ldaps communication it should be perfect :)

Thank you

windows-active-directorywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered GaryNebbett edited

Hello @matteu31400,

I mostly understand your issue, but I did not understand the bit about not being able to distribute the root certificate.

I can only think of three options:

  1. Turn up Active Directory logging (https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/configure-ad-and-lds-event-logging) to the maximum and see whether any of the logged events meet your needs.

  2. Trace all network traffic (filtering for LDAP ports if possible) and analyze their contents (if possible - the traffic might be protected by SASL confidentiality).

  3. Use heuristics to guess whether LDAP is being protected by TLS. For example, capture the connections as before and trace the Microsoft-Windows-SChannel-Events provider too, looking for AcceptSecurityContext events (which could signal, among other things, that a TLS channel is being established); correlating the events via process id and time, it might be possible to (unreliably) infer whether LDAP is being protected by TLS.

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @matteu31400,

Thank you for posting here.

Here is a test in my lab, I can audit LDAPS connections successfully.

Here are the steps for your reference.

I have a forest/root domain b.local (one DC named vchzho841vm) and a child domain bb.b.local (one DC dfs1, IP address192.168.2.75).

1.On DC in child domain, I logged on this DC using domain Administrator credential in child domain.

2.And I open ldp.exe (port 636, SSL)and connect to DC in the root doamin.
87928-ldp1.png

3.Bind with BB\administrator.
88013-ldp2.png

4.Then query someghing.

5.On DC the root domain, open Event Viewer and I can see Event ID 4624 with source IP and credential.

88002-ldp3.png


Here is a similar case, we can refer to it.

Log LDAP access of the Active directory
https://serverfault.com/questions/193100/log-ldap-access-of-the-active-directory


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou






============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



ldp1.png (81.0 KiB)
ldp2.png (27.8 KiB)
ldp3.png (65.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered DaisyZhou-MSFT commented

Hello

Thank you for your answer.

What you show here is audit connection but not ldaps only. 4624 is created when you logon with ldap also.
The idea is to identify only ldaps connections.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @matteu31400,

Thank you for your update.

Maybe this link below is helpful.

LDAP Channel Binding and LDAP Signing Requirements - March 2020 update final release
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536/page/3#comments

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


0 Votes 0 ·
matteu31400 avatar image
0 Votes"
matteu31400 answered

Hello,

I find lot of documentation about ldaps but it doesn't what I would like. In your link, we can identify what ldap connection are done WITHOUT ldaps. What I would like is, what connections are done WITH ldaps :) (if it exists ^^)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @matteu31400,

Let's first be clear about what you want - do you want to log which clients use LDAP and TLS or just the clients that use LDAP and TLS by connecting to port 636? Connecting to port 636 is deprecated (see, for example, https://www.openldap.org/faq/data/cache/605.html) and the LDAP StartTLS is the preferred method (first connect to port 389 and then send a StartTLS request).

If you want to log clients connecting to port 636, then logging traffic at the network level is probably the easiest way and can be done over weeks and months (the amount of data is modest). One way of doing this would be to issue the command:

logman start LDAPS-Audit -ets -p Microsoft-Windows-TCPIP ut:TcpipListener -o LDAPS-Audit.etl

This captures one event for each TCP "accept". It will log events for all ports, so it will need to be filtered for port 636. The event includes both local and remote addresses and ports and that is all that you seem to need.

88496-image.png

Gary



image.png (102.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered GaryNebbett commented

Thank you for this answer.

Maybe I don't understand correctly what is ldaps because I believe it's connection from client to DC on port 636 but it's also right for 389 if startTLS is used right ?
If we can capture with logman the trafic I suppose I have all 636 connection (LDAPS for sure) and 389 (it can be LDAP or StartTLS right ?) How could I know if it's ldap or start TLS in this case ?

I'm sory for these question but it's because lot of my clients ignore totally if their applications do ldaps or not and when I need to migrate DC, if applications use LDAPS, they will not work anymore until LDAPS is configured again.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @matteu31400,

LDAPS, strictly speaking, just refers to connecting to port 636 but most people don't understand/observe this distinction.

I can't immediately think of a low log data volume, easy to analyse method of recording use of StartTLS on a Windows server.

Gary

0 Votes 0 ·
matteu31400 avatar image
0 Votes"
matteu31400 answered

OK.
I hope you understand what my issue is ?

If I configure vcenter to use LDAPS to perform authentification of my AD users and I migrate my domain controller, I will not be able to login on my vcenter with my domain account because new DC = new certificate.
On vcenter, you can't give him root CA to validate all DC. Supported method is to give certificate from specified DC.

My last client use Trend micro to protect from virus and other stuff and he couldn't connect anymore because StartTLS was used and we need to reconfigure his application for authentication to work again.

I would like to know if before my migration I can analyze all the application I will have to monitor to be ready when my domain controller is migrated. It's better to know what will happen then "it doesn't work anymore".

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered DaisyZhou-MSFT commented

Thank you for your help, I'll try to see if I can have enough information with these possibilities.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @matteu31400,

Thank you for your update.

If anything is unclear, please feel free to let us know.


Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @matteu31400,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·
matteu31400 avatar image
0 Votes"
matteu31400 answered

Hello,

Unfortunately, it's not an easy step to "audit" ldaps connection...
I will forget this idea.

Thanks for your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.