joeware - never stop exploring... :)

I spent some time this weekend relearning something I learned 15 or so years ago… How to make 2.5.5.14 (DN with String) attribute schema changes that actually work. It’s simple but there is also a trick to it that you need to be aware of.

Let’s go back a bit…

I was recently asked about setting up a special multi-multi forward and backward (back) linked attribute pair for tracking relationships between users and computers. The computers would hold the forward link, the users, groups, or anything used would hold the reverse link. Then if you want to specify a group of individual users and/or groups that “own” a specific computer object (or OU or Group or Application/Process IDs or whatever you want really) you can easily do so and those linkages would carry back to the users themselves so they could see what objects they “own”.

So spinning up a multi-value forward/back linked attribute pair is easy right? Just a pair of multi-value 2.5.5.1 attributes. You could just use managedBy and managedObjects but managedBy is single valued and that isn’t something you can change. That leaves creating new attributes and again who hasn’t made thousands of schema mods/adds over the years to spin up linked 2.5.5.1 attributes? Boring!

However, we can do better than linked 2.5.5.1s. Active Directory (and LDS) support two other DN style attributes that can be linked. First there is 2.5.5.7 which is DN with Binary (aka DN-Binary aka ADS_DN_WITH_BINARY). Second is 2.5.5.14 which is DN with String (aka DN-String aka ADS_DN_WITH_STRING).

The cool thing with these additional formats is that it allows you to stuff additional information on the DN. Say like UAR / Attestation / Request# info for tracking purposes (you are tracking changes and who requested, when requested, Date of last review, and then reviewing it on a regular frequency right?). Heck with DN with Binary you could build a whole binary structure to jam in there and easily pack and unpack it with code and it would be basically obfuscated for everyone else. And keep that in mind, obfuscated, not encrypted.

Relevant Informational Side-Bar
====================

A 2.5.5.1 Attribute is simply a distinguished name aka DN. It has to be a VALID DN that exists in the DSA (Domain Controller or LDS instance) database because internally it is represented as a pointer to the row of the object in the underlying database, it is not an actual string of the DN value. You can’t put in CN=SchoolofRockElite,OU=Groups,DC=SchoolOfRock,DC=com into a 2.5.5.1 attribute in the single forest domain DC=ClassicalMusicOnly,DC=com because that isn’t a valid DN in that forest. You could, however, add a foreignSecurityPrincipal for the SchoolofRockElite group into the ClassicalMusicOnly domain and put *that* DN into the 2.5.5.1 attribute.

One cool thing about using 2.5.5.1 attributes is that if the object pointed to by the DN specified is changed (i.e. moved around AD) the DN in the attribute will be updated as well. If the object is deleted the linkage will show the link as a deleted DN. So good news bad news there… If someone who is set as the owner of an object is deleted, that linkage will eventually be scrubbed by the OS and then you will have a blank owner attribute (if that one object is the only owner listed). That is why ownership should *generally* be to groups for anything that should survive individuals marked as owners. At the very least you need to scan your links regularly looking for the deleted object links and then handle them in whatever method you define (delete the object with the link to a deleted owner, change the link to another owner, etc)

Another cool thing about using 2.5.5.1 attributes in a multivalued attribute when they are linked (forward/backward linked) with linkid functionality is that linked value replication functionality kicks in and with that there is no defined limit to the number of values for the attribute. This was new as of OEM Windows Server 2003 and FFL2. This is the functionality that allows for groups to have membership in excess of about 5000 members which was an issue in Windows Server 2000 with multiple domain controllers (replication could break temporarily or permanently because of version store exhaustion).

One last cool thing about 2.5.5.1 linked attributes. You will have a forward link and a backward (back) link. You can ONLY change the forward link value, the back link is a reflection only and cannot be modified. Consider member and memberOf. You can modify the member attribute on groups but you cannot modify the memberOf attribute on users or anything else. Just remember, back link is always read only. 

The 2.5.5.7 attribute extends the 2.5.5.1 functionality by allowing you to add binary data to the attribute as well in the format of B:<datasizeinbytes>:<binarydata>:<valid DN> so something like B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=multimanage,DC=test,DC=loc which can actually be translated (and is translated to by AdFind) to “GUID_USERS_CONTAINER = CN=Users,DC=multimanage,DC=test,DC=loc”. If you aren’t familiar, that is from the wellKnownObjects attribute on the domain NC head object which you can find on any domain NC head object (and no you will never see that in ADUC). Another more complex example can be seen with msDS-RevealedUsers. For example you could have a value of

B:96:A0000900060000006CC2ED0E03000000DCBD06B345297D4AB7CE0BC829C55C5A00D801000000000000D8010000000000:CN=joe user,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc

which translates to (as done by AdFind)

lmPwdHistory                     6  2017/03/30-12:25:16      120832  {B306BDDC-2945-4A7D-B7CE-0BC829C55C5A}  CN=joe user,OU=Users,OU=TestOU,DC=k16tst,DC=test,DC=loc 

The 2.5.5.14 attribute extends like 2.5.5.7 only it is a string value that you can add in the format of S:<datasizeinbytes>:<stringdata>:<valid DN> so something like S:23:supplementalCredentials:CN=krbtgt_20940,CN=Users,DC=k16tst,DC=test,DC=loc.

The one truly sucky thing about 2.5.5.14 (and to a lesser extent 2.5.5.7) is that the extra data can’t be quantified and used in a search query in any way that I am aware of. It is a lesser extent issue with 2.5.5.7 because that is the case for any binary data attributes and it really doesn’t make a lot of sense for searches of binary data.

Note that the back link for 2.5.5.7 and 2.5.5.14 forward link attributes is always a 2.5.5.1 attribute. You need to look at the forward link in order to get the additional data.

Anyway… back to the beginning. I sometimes wonder if part of the reason these special versions of linked DN attributes are not really used by others (MSFT uses them in a few different areas) is because there is a little trick to it to make it work right. Unlike most attributes you have to remember to set the oMObjectClass property on the schema attribute definitions because each of these two attributeSyntax types have two forms that are controlled by oMObjectClass and for fun MSFT set it up so the one you will get when you create the definitions is NOT the one you want. I haven’t seen everything but I have never once in many hundreds of production corporate directories ever seen the alternate versions of these attributes being used; if they are there, they are DN String and DN Binary. So chalk it up to not well thought out and something we have to handle on our end when defining the attributes in the Schema and all will be good.

This is so arcane and little used that I completely forgot about it myself and had to relearn “the trick” again this weekend. I thought to myself I know I have done this for companies in the past and it worked fine… Why is it not working fine now. Once I finally recalled the issue after about 10 minutes of looking closely at the schema definitions over and over and the extended errors and trying with LDP and ADSIEDIT to make sure I didn’t at some point introduce a bug into AdMod to cause it to break and then a literal palm slap to the forehead and an “oh yeah I remember this stupid implementation now” I thought why didn’t I blog this before so I could find the blog when I tried to do it again and failed??? So here we are, you are now all caught up with me and I am actually blogging it this time so when I try to do again many years from now I can google it.  

First the error you will hit if you create the DN with String attribute incorrectly (with the version of Windows Server 2016 at this time of this post[1]):

Error 0x15 (21) – Invalid Syntax
Extended Error: 00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839

Depending on the tool you are using it will be exposed (or not) in different ways. This is what it will look like in full from AdMod:

[Sun 07/08/2018 12:24:42.83]
E:\Dev\AD\Schema>admod -default -rb cn=testcomputer,cn=computers joeware-managedby:++:"S:6:MyTest:cn=testuser,cn=computers,DC=multimanage,DC=test,DC=loc" -exterr

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

DN Count: 1
Using server: K16SC-DC1.multimanage.test.loc:389
Directory: Windows Server 2008 R2
Base DN: cn=testcomputer,cn=computers,DC=multimanage,DC=test,DC=loc

Modifying specified objects…
   DN: cn=testcomputer,cn=computers,DC=multimanage,DC=test,DC=loc…: [K16SC-DC1.multimanage.test.loc] Error 0x15 (21) – Invalid Syntax

   Extended Error: 00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839

ERROR: Too many errors encountered, terminating…

The command did not complete successfully

Now for the error you get when you incorrectly create DN with Binary (with the version of Windows Server 2016 at this time of this post[1]):

Error 0x13 (19) – Constraint Violation
Extended Error: 000020B5: AtrErr: DSID-03152E86, #1:
        0: 000020B5: DSID-03152E86, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9667ed48 (joeware-ManagedBy-Bin)

One again, depending on the tool you are using it will be exposed (or not) in different ways. This is what it will look like in full from AdMod:

[Sun 07/08/2018 12:24:46.72]
E:\Dev\AD\Schema>admod -default -rb cn=testcomputer,cn=computers joeware-managedby-bin:++:"B:8:00000000:cn=testuser,cn=computers,DC=multimanage,DC=test,DC=loc" -exterr

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

DN Count: 1
Using server: K16SC-DC1.multimanage.test.loc:389
Directory: Windows Server 2008 R2
Base DN: cn=testcomputer,cn=computers,DC=multimanage,DC=test,DC=loc

Modifying specified objects…
   DN: cn=testcomputer,cn=computers,DC=multimanage,DC=test,DC=loc…: [K16SC-DC1.multimanage.test.loc] Error 0x13 (19) – Constraint Violation

   Extended Error: 000020B5: AtrErr: DSID-03152E86, #1:
        0: 000020B5: DSID-03152E86, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9667ed48 (joeware-ManagedBy-Bin)

ERROR: Too many errors encountered, terminating…

The command did not complete successfully

You may think well gee golly, that DN with Binary error sure is different, what is going on there? I can’t really say. Personally I would expect a similar invalid syntax error as is the case with DN with String or both have the same sort of Constraint Violation error (especially with the attribute info as the Constraint Violation error which is useful when updating multiple attributes at once). 

The secret for DN-String is that the oMObjectClass value that needs to be set for the DN with String format is – 0x2A 0x86 0x48 0x86 0xF7 0x14 0x01 0x01 0x01 0x0C which translates to the OID 1.2.840.113556.1.1.1.12. In an LDIF file it will look like (KoZIhvcUAQEBDA==) and for an AdMod Schema update it would look like (2A864886F7140101010C).

The secret for DN-Binary is that the oMObjectClass value that needs to be set for the DN with Binary format is – 0x2A 0x86 0x48 0x86 0xF7 0x14 0x01 0x01 0x01 0x0B which translates to the OID 1.2.840.113556.1.1.1.11. In an LDIF file it will look like (KoZIhvcUAQEBCw==) and for an AdMod Schema update it would look like (2A864886F7140101010B).

So after all of that here is how you can define these attributes in the schema. For fun I have allocated space for this from my personal Joeware OID space (1.2.840.113556.1.8000.1420) that I claimed from MSFT back when they first offered that service (service no longer available). I am also using my standard schema prefix for my joeware stuff (joeware-).

If you choose to use these definitions, either use them exactly as defined OR change the attributeIDs and names (i.e. there should be no 1.2.840.113556.1.8000.1420.* anything and there should be no joeware-* anything).

Another Relevant Informational Side-Bar
===========================

When you add forward/back link attributes you should usually try to stick with a naming standard where you specify the forward link attribute name and then for the backlink attribute name you use the same name with BL appended. However for some attributes it may make sense to be more specific on the naming of the backlink attribute. The member / memberof pair is a great example as is the managedBy / managedObjects pair. When I am creating attribute names I try to be as specific as possible with the naming but if I am doing something related to existing attributes such as in this case I will use a variation on the existing attributes. Another example of this can be found in my blog post http://blog.joeware.net/2008/07/12/1401 – Dotted Line Managers and Reports To in Active Directory and/or ADAM. 

Creating the attributes with AdMod

Linked Multi-Multi 2.5.5.14 DN with String Attribute

:: Forward Link (Writeable)
admod  -schema -rb cn=joeware-ManagedBy -add objectclass::attributeschema attributeID::1.2.840.113556.1.8000.1420.1.2.3000 attributeSyntax::2.5.5.14 isSingleValued::FALSE adminDisplayName::joeware-ManagedBy adminDescription::joeware-ManagedBy oMSyntax::127 BIN##omobjectclass::2A864886F7140101010C lDAPDisplayName::joeware-ManagedBy systemOnly::FALSE isMemberOfPartialAttributeSet::TRUE linkid::1.2.840.113556.1.2.50 -exterr

admod  -sc refreshschema

:: Back Link (Read Only)
admod  -schema -rb cn=joeware-ManagedObjects -add objectclass::attributeschema attributeID::1.2.840.113556.1.8000.1420.1.2.3001 attributeSyntax::2.5.5.1 isSingleValued::FALSE adminDisplayName::joeware-ManagedObjects adminDescription::joeware-ManagedObjects oMSyntax::127 lDAPDisplayName::joeware-ManagedObjects systemOnly::FALSE isMemberOfPartialAttributeSet::TRUE linkid::joeware-ManagedBy -exterr

admod  -sc refreshschema

Linked Multi-Multi 2.5.5.7 DN with Binary Attribute    

:: Forward Link (Writeable)
admod  -schema -rb cn=joeware-ManagedBy-Bin -add objectclass::attributeschema attributeID::1.2.840.113556.1.8000.1420.1.2.3002 attributeSyntax::2.5.5.7 isSingleValued::FALSE adminDisplayName::joeware-ManagedBy-Bin adminDescription::joeware-ManagedBy-Bin oMSyntax::127 BIN##omobjectclass::2A864886F7140101010B lDAPDisplayName::joeware-ManagedBy-Bin systemOnly::FALSE isMemberOfPartialAttributeSet::TRUE linkid::1.2.840.113556.1.2.50  -exterr

admod  -sc refreshschema

:: Back Link (Read Only)
admod  -schema -rb cn=joeware-ManagedObjects2-Bin -add objectclass::attributeschema attributeID::1.2.840.113556.1.8000.1420.1.2.3003 attributeSyntax::2.5.5.1 isSingleValued::FALSE adminDisplayName::joeware-ManagedObjects-Bin adminDescription::joeware-ManagedObjects-Bin oMSyntax::127 lDAPDisplayName::joeware-ManagedObjects-Bin systemOnly::FALSE isMemberOfPartialAttributeSet::TRUE linkid::joeware-ManagedBy-Bin -exterr

admod  -sc refreshschema

LDIF Files for the attributes

Linked Multi-Multi 2.5.5.14 DN with String Attribute

# Forward Link (Writeable)
dn: CN=joeware-ManagedBy,SCHEMA
changetype: add
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.8000.1420.1.2.3000
attributeSyntax: 2.5.5.14
isSingleValued: FALSE
linkID: 1.2.840.113556.1.2.50
adminDisplayName: joeware-ManagedBy
oMObjectClass:: KoZIhvcUAQEBDA==
adminDescription: joeware-ManagedBy
oMSyntax: 127
lDAPDisplayName: joeware-ManagedBy
isMemberOfPartialAttributeSet: TRUE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–

# Back Link (Read Only)
dn: CN=joeware-ManagedObjects,SCHEMA
changetype: add
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.8000.1420.1.2.3001
attributeSyntax: 2.5.5.1
isSingleValued: FALSE
linkID: joeware-ManagedBy
adminDisplayName: joeware-ManagedObjects
oMObjectClass:: KwwCh3McAIVK
adminDescription: joeware-ManagedObjects
oMSyntax: 127
lDAPDisplayName: joeware-ManagedObjects
isMemberOfPartialAttributeSet: TRUE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–

Linked Multi-Multi 2.5.5.7 DN with Binary Attribute

# Forward Link (Writeable)
dn: CN=joeware-ManagedBy-Bin,SCHEMA
changetype: add
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.8000.1420.1.2.3002
attributeSyntax: 2.5.5.7
isSingleValued: FALSE
linkID: 1.2.840.113556.1.2.50
adminDisplayName: joeware-ManagedBy-Bin
oMObjectClass:: KoZIhvcUAQEBCw==
adminDescription: joeware-ManagedBy-Bin
oMSyntax: 127
lDAPDisplayName: joeware-ManagedBy-Bin
isMemberOfPartialAttributeSet: TRUE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–

# Back Link (Read Only)
dn: CN=joeware-ManagedObjects-Bin,SCHEMA
changetype: add
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.8000.1420.1.2.3003
attributeSyntax: 2.5.5.1
isSingleValued: FALSE
linkID: joeware-ManagedBy-Bin
adminDisplayName: joeware-ManagedObjects-Bin
oMObjectClass:: KwwCh3McAIVK
adminDescription: joeware-ManagedObjects-Bin
oMSyntax: 127
lDAPDisplayName: joeware-ManagedObjects-Bin
isMemberOfPartialAttributeSet: TRUE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–

So now you have the attributes defined (or the ability to get them defined) and you just need to assign them to some object classes to use them. Which object classes? It depends on where you want the forward linked attribute functionality. If you want the functionality on computers, you can add the forward link attribute(s) to the computer objectClass definition. If you want them for computers and users you can add to the user objectClass definition and they will be useable on both users and computers. If you want them on groups you add them to the group objectClass definition. Ditto Organizational Unit objects, Ditto Containers, Ditto Organization Objects, Ditto Sites, Ditto subnets, etc. The one thing that would be cool for you to do that you can’t do is add the forward link to the Top object definition (it simply won’t work). However you absolutely can and absolutely should add the back link to the Top object.

Linking the attributes to various object classes with AdMod

Linked Multi-Multi 2.5.5.14 DN with String Attribute

Here are some commands to link the forward link attribute to multiple different classes, pick and choose as you like. The back link should be left as-is being linked to Top.

admod  -schema -rb CN=User maycontain:+:joeware-ManagedBy
admod  -schema -rb CN=Group maycontain:+:joeware-ManagedBy
admod  -schema -rb CN=Organizational-Unit maycontain:+:joeware-ManagedBy
admod  -schema -rb CN=Container maycontain:+:joeware-ManagedBy
admod  -schema -rb CN=Site maycontain:+:joeware-ManagedBy
admod  -schema -rb CN=Subnet maycontain:+:joeware-ManagedBy
admod  -schema -rb CN=Top maycontain:+:joeware-ManagedObjects
admod  -sc refreshschema  

Linked Multi-Multi 2.5.5.7 DN with Binary Attribute

Here are some commands to link the forward link attribute to multiple different classes, pick and choose as you like. The back link should be left as-is being linked to Top.

admod  -schema -rb CN=User maycontain:+:joeware-ManagedBy-Bin
admod  -schema -rb CN=Group maycontain:+:joeware-ManagedBy-Bin
admod  -schema -rb CN=Organizational-Unit maycontain:+:joeware-ManagedBy-Bin
admod  -schema -rb CN=Container maycontain:+:joeware-ManagedBy-Bin
admod  -schema -rb CN=Site maycontain:+:joeware-ManagedBy-Bin
admod  -schema -rb CN=Subnet maycontain:+:joeware-ManagedBy-Bin
admod  -schema -rb CN=Top maycontain:+:joeware-ManagedObjects-Bin
admod  -sc refreshschema  

LDIF Files for linking the attributes

Linked Multi-Multi 2.5.5.14 DN with String Attribute

# Forward Link (Writeable)
dn: CN=User,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy
–

dn: CN=Group,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy
–

dn: CN=Organizational-Unit,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy
–

dn: CN=Container,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy
–

dn: CN=Site,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy
–

dn: CN=Subnet,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy
–

# Back Link (Read Only)
dn: CN=Top,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedObjects
–

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–

Linked Multi-Multi 2.5.5.7 DN with Binary Attribute

# Forward Link (Writeable)
dn: CN=User,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy-Bin
–

dn: CN=Group,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy-Bin
–

dn: CN=Organizational-Unit,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy-Bin
–

dn: CN=Container,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy-Bin
–

dn: CN=Site,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy-Bin
–

dn: CN=Subnet,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedBy-Bin
–

# Back Link (Read Only)
dn: CN=Top,SCHEMA
changetype: modify
add: mayContain
mayContain: joeware-ManagedObjects-Bin
–

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
–

That should be enough to get you and all of your friends up and running with some cool linked DN attributes with additional hopefully useful information actually in the links.

    joe

[1] Which is

[Sun 07/08/2018 12:35:08.89]
E:\Dev\Ad\Schema>wmic /node:"K16SC-DC1.multimanage.test.loc" os get version /format:list

Version=10.0.14393

I posted about this about a decade ago but going through email this morning I found at least 8 or 9 questions from people in some way shape or form related to it so I figured I would re-post and maybe it will show up search engines more or perhaps people will realize it still works…

Q: Every time I look at a network trace from AdFind I see something like:

This is called LDAP Sealing. You can disable this by disabling Client Signing/Sealing. Once disabled the traffic should look like:

The current Client Signing setting is maintained in the registry (of course) in the key

HKLM\System\CurrentControlSet\Services\LDAP under the value LDAPClientIntegrity.

There are three possible values

0
No signing/sealing

1
Negotiate signing/sealing

2
Require signing/sealing

You will likely see it set to 1 if it is set to anything. If it isn’t set, the default internally is 1 anyway… So if you switch this to 0, you will *generally* start seeing the LDAP traffic in the clear and it should work with most LDAP API based apps. If you are trying to do this for another app and it isn’t work then the issue could very well be that the application itself is forcing the information to be “encrypted” anyway like the AdFind -kerbenc switch does. At that point you have no choice but to use Insight for AD[1] which hooks the LDAP calls prior to being encoded.

You can see the current value of the setting with:

reg query HKLM\System\CurrentControlSet\Services\LDAP /v LDAPClientIntegrity

You will see something like:

[Sat 07/07/2018 16:46:32.47]
E:\>reg query HKLM\System\CurrentControlSet\Services\LDAP /v LDAPClientIntegrity

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
    LDAPClientIntegrity    REG_DWORD    0x1

If you want to quickly set it to 0 you can use the following command:

reg add HKLM\System\CurrentControlSet\Services\LDAP /v LDAPClientIntegrity /t REG_DWORD /d 0x00 /f

You will see something like:

[Sat 07/07/2018 16:46:43.63]
E:\>reg add HKLM\System\CurrentControlSet\Services\LDAP /v LDAPClientIntegrity /t REG_DWORD /d 0x00 /f
The operation completed successfully.

Note that this can also be set through Group Policy so you may find that you set it to 0 and then later it goes back to 1 or even possibly 2. If that happens a GPO was configured to define a value for Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Network Security: LDAP client signing requirements.

     joe

[1] Insight for Active Directory (AD) is an old tool from SysInternals that used to absolutely rock. It hooked the LDAP API calls so every single call that came through you had visibility into what it was doing. At some point this tool broke hard and was worthless and was absolutely worthless for x64. However SysInternals eventually released a new version V1.2 which worked again but I personally have found it to be very hit and miss. Try it, if it helps you and you like it, awesome. Keep in mind that at least I have found this latest version to be quite sporadic on x64 Windows 10 missing calls as well as crashing outright. https://docs.microsoft.com/en-us/sysinternals/downloads/adinsight

Forest/Domain Mode = WinThreshold??

Really MSFT?

Come on… Sloppy.

-ForestMode

Specifies the forest functional level for the new forest. Supported values for this parameter can be either a valid integer or a corresponding enumerated string value. For example, to set the forest mode level to Windows Server 2008 R2, you can specify either a value of 4 or Win2008R2.

The acceptable values for this parameter are:

• Windows Server 2003: 2 or Win2003
• Windows Server 2008: 3 or Win2008
• Windows Server 2008 R2: 4 or Win2008R2
• Windows Server 2012: 5 or Win2012
• Windows Server 2012 R2: 6 or Win2012R2
• Windows Server 2016: 7 or WinThreshold

The default forest functional level in Windows Server is typically the same as the version you are running. However, the default forest functional level in Windows Server 2008 R2 when you create a new forest is Windows Server 2003 or 2.

Type:
ForestMode

Parameter Sets:
Win2008, Win2008R2, Win2012, Win2012R2, WinThreshold, Default

Position:
Named

Default value:
Windows2008R2

Accept pipeline input:
False

Accept wildcard characters:
False

.

..

…

….

.

..

Or if you prefer

|

/

–

\

|

/

errr….

So back a while back (http://blog.joeware.net/2017/10/31/5801/) I pulled AdMod into the garage…It is still there. I am working on it when I can. It is slow going, much slower going than AdFind goes because the code is much more involved and a lot less forgiving of mistakes. If I screw up you may screw something in your directory up and while that would be entirely your fault, I would still not be happy about it. So it necessarily goes a little slower. On top of that work has been very busy and involved and life in general has been also.

Work has been a lot of “hey we needed this two months ago!” combined with scraping the floors and trying to sort out exactly how many subfloors have been stacked on top of each other… or if you prefer a roofing analogy how many times they have shingled over the roof versus a desperately needed complete tear off. The answer so far is a lot. A bunch of sorta so so implemented standards etc. It is tough to blame people though because the environment is so large (way too large in many ways and I *can* blame people for those decisions that caused that) and the security tools in place that make working painful and terribly inefficient (do not EVER use Symantec DCS on domain controllers please) and the priorities are so fluid and shifting often on a daily basis it is tough to stick to something and see it through. I mean you still have to do it as that is your job as a professional despite what management thinks the priorities are, it is just tougher than in smaller more static environments. So many weird / interesting issues that have been encountered that I need to find time to write up and post. Everything from “Are you f’ing kidding me POS hardware manufacturer?” to “Are you f’ing kidding me Microsoft?” to “Are you f’ing kidding me Apple?” to all sorts of stuff. So much that most of it is just a blur. That is part of the reason for fluid and shifting priorities and we need this changed immediately.

And ironically, diametrically opposed in fact, to fluid and shifting priorities and we need this changed immediately there is a lot of dependence on things being static and not changing… You all know that as secret code as people *&^$(*&$#$ hardcoding applications and application configurations. And by the way… Load Balancers and VIPS in front of Domain Controllers is STILL an unsupported and truly bad idea and if you say “well at least we aren’t hard coding the applications” you really still are, you just have an extra layer of obfuscation there…. You are hardcoding one app that is hardcoded to domain controllers. Stop. Smack your developers and tell them do it right, it is time. It is actually well past the time. More, A TON MORE, on that later as another thing I have been working on is a blog post about stupid and/or lazy devs not properly finding domain controllers. At last peek it was > 6000 words or roughly 12 8.5×11 pages printed and needed to be chopped up into a blog series versus a single post. I thought for a second of selling it to some eZine or tech site or magazine or something because it is good stuff but it really needs to be read so I want it to be very freely available and reblogged and pointed at by every admin in the world to their devs and vendors. I like money, strike that – really like money, but I would rather give this for free if it somehow helps the industry get better. Don’t ever say I didn’t sacrifice myself for all y’all.

Anyway back to AdMod… it is still being worked on and has a ton of new functionality in it, especially around Security Descriptors. I do a massive amount of testing every time I make a change so that if I do break something I don’t have to roll back a bunch of complicated code to find what specifically caused it. 

Oh and also at the same time I have submitted something like 40 BUGBUGs and an additional 40 or so DCRs to myself for the next version of AdFind.

So please hold tight, just like Christmas, but hopefully sooner, AdMod is coming…

   joe

[Updated: 2018/07/07]

There are a series of control access rights (CARs) that are specifically tied to granting permissions for returning “Replicated Changes” which are changes to the Directory Service (DS) that would be (and are if everything is working properly) replicated to other Directory Service Agents (aka DSAs / domain controllers or ADLDS instances). There isn’t a lot of documentation for these and quite a bit of confusion. I know I was confused by it for a while myself thinking this doesn’t seem right and so I looked at the Windows Source code to get the authoritative answer.

These permissions are granted to the DSAs and can also be granted to other security principals (groups/users/computers) to allow them to pull the changes via the LDAP DIRSYNC control and/or the RPC based DRSGetNCChanges. A common example of an application that has these permissions granted is FIM or MIM for syncing changes from Active Directory. An even more common example is Azure Active Directory Connector which ties your on premises Active Directory to your Azure Active Directory, note that it is simply (at the time of this writing) a specialized version of FIM/MIM. SharePoint is another app like that likes to do things with this functionality.

I am writing this post because there is regularly confusion over what the different versions of the permissions are and what has to be applied for something to work at all.

So to start, here are the specific Control Access Rights we are talking about:

[Thu 05/24/2018 22:44:20.45]
E:\>adfind -hh k16tst-dc1.k16tst.test.loc -config -f displayname=*replicating* rightsguid name displayname -nodn -jtsv2
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2    DS-Replication-Get-Changes      Replicating Directory Changes
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2    DS-Replication-Get-Changes-All  Replicating Directory Changes All
89e95b76-444d-4c62-991a-0facbeda640c    DS-Replication-Get-Changes-In-Filtered-Set      Replicating Directory Changes In Filtered Set

The permissions in Active Directory should all be at the ROOT of the naming context and do not have to (and shouldn’t be configured to) be inherited down to the rest of the directory. They are CAR permissions so you need the Control Access (represented as CR in SDDL strings and CTL in AdFind enhanced Security Descriptor output) permission granted and not a ReadProp/WriteProp kind of thing. The permissions in a standard configuration will look something like:

[Thu 05/24/2018 22:45:19.41]
E:\>adfind -hh k16tst-dc1.k16tst.test.loc -s base -jsdenl ;;;replicating

AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017

Using server: K16TST-DC1.k16tst.test.loc:389
Directory: Windows Server 2016
Base DN: DC=k16tst,DC=test,DC=loc

dn:DC=k16tst,DC=test,DC=loc
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;K16TST\Enterprise Read-only Domain Controllers
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;K16TST\Domain Controllers
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes In Filtered Set;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BUILTIN\Administrators
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes In Filtered Set;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

1 Objects returned

So what do they do? We will start with the most powerful and work our way back…

“Replicating Directory Changes All”  – This permission allows you to replicate ANYTHING. Secrets (like password hashes), Filtered Attributes (RODC FAS), and any other attribute/object you want to check out. Note that from what I have so far been able to ascertain, you cannot get the secrets via the LDAP interface; it requires using the RPC interface. I could be wrong here, if you know for sure, please let me know.

“Replicating Directory Changes In Filtered Set” – This permission allows you to replicate things in the RODC FAS but NOT secrets like password hashes etc.

“Replicating Directory Changes” – This is the lowest level permission HOWEVER you need this to use the RPC and LDAP DIRSYNC replicating changes mechanisms period. I.E. if you don’t have this you don’t have anything[1].

You might think I’m crazy… err no… You might think (and it makes it nice and clean for delegation models) that you could just set “Replicating Directory Changes All” and be done with it but no, the way the code is written, you must also have the base level “Replicating Directory Changes” as well. Basically the functional flow is something like:

1. Do you have “Replicating Directory Changes” permissions on the NC Head object you are using these special mechanisms with?
    A. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
2. Are you asking for any RODC FAS attributes?
    A. Yes.
       I. Do you have “Replicating Directory Changes In Filtered Set”?
          a. No.
             i. Do you have “Replicating Directory Changes All”?
                1. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
3. Are you asking for Secrets (like password hash) and do you have “Replicating Directory Changes All”?
    A. No – Get out, here is your ERROR_DS_DRA_ACCESS_DENIED (error 8453) for your troubles.
4. [This bit is a guess based on testing so far] Are you using LDAP DIRSYNC and asking for Secrets
    A. Yes. You get your output but secrets (like password) will come through blank.
5. Yay, you have access, here is the output for your request.   

Again if I had written this I very likely (depends on the actual requirements documentation) would have checked for “Replicating Directory Changes All” first and then if that was there just return TRUE for the function. Next check for “Replicating Directory Changes in Filtered Set” and if they weren’t asking for Secrets return TRUE for the function. And finally if those failed check the base level “Replicating Directory Changes” and if they weren’t asking for FAS/Secret stuff return TRUE for the function. Written my way the delegation is simpler. You need the one Grant ACE to do what you need to do, not two. 

    joe

[1] There is an exception for DIRSYNC called “Per Object” mode to access DIRSYNC without needing the Replicating* permissions. There is little to no documentation that I have found regarding this functionality. Perhaps at some point I will tackle it. If you are aware of any good documentation, let me know and I will check it out and likely share it.

The reg key hklm\system\currentcontrolset\services\lanmanserver\parameters has a specific value you can set under it called EnableECP.

There is some confusion on whether or not that key is case sensitive.

I can say that no, it is not case sensitive. I looked it up in the source code. The ZwOpenKey ObjectAttributes parameter is being initialized via InitializeObjectAttributes with OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE.

‘nuff said.

   joe

This is the magic reg key if you use Outlook 2016 for POP3/IMAP and other want to not have to re-do all of your settings…

Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles