Windows DC 报告事件 ID 3039 或 3075，已启用"Try Channel Binding For AD LDAP Connections"

最后更新
另存为PDF

Views:: 48

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

适用于

ONTAP 9
CIFS/SMB
LDAPS 或 START-TLS
通道绑定

问题描述

从 ONTAP 9.10.1 开始引入了对基于 TLS 的 AD-LDAP 的通道绑定支持
尝试 AD LDAP 连接的通道绑定默认已启用。

cluster1::> cifs security show -vserver svm1

Vserver: svm1

Kerberos Clock Skew: - minutes Kerberos Ticket Age: - hours Kerberos Renewal Age: - days Kerberos KDC Timeout: - seconds Is Signing Required: - Is Password Complexity Required: - Use start_tls for AD LDAP connection: false Is AES Encryption Enabled: false LM Compatibility Level: lm-ntlm-ntlmv2-krb Is SMB Encryption Required: - Client Session Security: none SMB1 Enabled for DC Connections: false SMB2 Enabled for DC Connections: system-default LDAP Referral Enabled For AD LDAP connections: false Use LDAPS for AD LDAP connection: true Encryption is required for DC Connections: false AES session key enabled for NetLogon channel: false Try Channel Binding For AD LDAP Connections: true

在这种情况下，即使启用了通道绑定，Windows DC 仍会报告事件 ID 3039：

The following client performed an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation.

事件 ID 3075 也可以报告：

The following client performed an LDAP bind over SSL/TLS and did not provide Channel Binding Information. When this directory server is configured to enforce validation of Channel Binding Tokens, this bind operation will be rejected. Client IP address: 10.0.0.1:46863 Identity the client attempted to authenticate as: DOMAIN\USERNAME$ Client supports channel binding:FALSE Client permitted in when supported mode:TRUE Audit result flags:0x42 For more details and information on channel binding token validation for LDAPS, please see https://go.microsoft.com/fwlink/?linkid=2102405. >"The following client performed an LDAP bind over SSL/TLS and did not provide > Channel Binding Information. When this directory server is configured to > enforce validation of Channel Binding Tokens, this bind operation will be > rejected."

从 SECD.LOG 在 3075 事件期间的提取显示未发生通道绑定：

debug: Connecting to LDAP (Active Directory) server ldap.domain.com (10.0.0.4) { in addStartConnectionLog() at src/connection_manager/secd_connection_manager.cpp:525 } debug: Initializing for LDAPS { in ldapInitialize() at src/connection_manager/secd_connection.cpp:2311 } debug: Attemping a SASL bind as "USERNAME$@DOMAIN.COM" { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:981 } debug: Creating SPN using serverRealm [ASBNET.AT] { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1026 } debug: LDAP security level is NONE, attempting bind using SPNEGO { in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1061 } debug: Found matching cache 'cc:C:26:0' { in secd_ccache_resolve() at src/utils/secd_krb_ccache.cpp:1052 } info : [krb5 context 165AF200] Getting credentials USERNAME$@DOMAIN.COM -> cifs/ldap.domain.com@ using ccache NETAPPCC:cc:C:26:0