This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD user lookups - clear text by default?

I've added our Active Directory domain controller to the authentication server list. SSL is unchecked (default) and it connects over port 389.

If I allow users to bypass web filtering blocked pages by entering in the AD username/password and a bypass "reason", is their password sent over clear text to the domain controller?

This thread was automatically locked due to age.

Parents

0 Idriel over 10 years ago

Hi, I would say yes at least for BINDing to LDAP over port 389, that why you need LDAP over SSL.

Then for the traffic inside, it’s in clear text but it depends will you see real username and password (if Basic authentication is used) or NTLM or Kerberos ticket session if there is AD SSO. Really depends what’s your browser is sending.

In both cases, you can easy see what is going in clear text by capturing traffic portion between ur UTM and Active Directory.
https://sophserv.sophos.com/repo_kb/115343/file/308674.pdf

If you want security, than u need to Setup and enable LDAP over SSl on port 636.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Idriel over 10 years ago

Hi, I would say yes at least for BINDing to LDAP over port 389, that why you need LDAP over SSL.

Then for the traffic inside, it’s in clear text but it depends will you see real username and password (if Basic authentication is used) or NTLM or Kerberos ticket session if there is AD SSO. Really depends what’s your browser is sending.

In both cases, you can easy see what is going in clear text by capturing traffic portion between ur UTM and Active Directory.
https://sophserv.sophos.com/repo_kb/115343/file/308674.pdf

If you want security, than u need to Setup and enable LDAP over SSl on port 636.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data