Activity for Martin Jacobsen
-
Martin Jacobsen posted a comment on discussion Discussions
It's been a while since I wrote about my gMSA adventure, so I thought it was time for an update. I have finally managed to get this to work. A lot of time has been spent trying to figure out why we couldn't get the login to work as the gMSA, but at least some of the issue seemed to be related to using a SimpleBind. Now we are using a Digest-MD5 bind instead and it works! Here's a quick rundown of the solution: Since there's to my knowledge no easy way to retrieve the gMSA password from Java, we are...
-
Thank you for the answer and ideas Neil. I have also thought about using a program to capture the traffic, but I actually didn't know there was these tools in the SDK. That's nice to know. I have tried the ldap-debugger a bit today, and while I did manage to capture some test traffic, using the admin login from a Java app on my dev machine, I'm still not there yet where I can use the C# application and capture the traffic. I had some problems with the auth mechanism used in the C# application (Microsoft...
-
I've tried to bind with the gMSA for several weeks now, but without success. Even though I'm able to get a hold of the password of the gMSA, I just can't get the bind to work through UnboundID LDAP SDK or even JNDI for that matter. It works fine in C# both with or without password. It's like there's something denying access when it's not a MS technology trying to make contact with AD through a gMSA. At the same time, I don't quite understand why this isn't something that is easily supported through...
-
The problem is this: I have retrieved the password of the gMSA that I'm trying to bind to, but every time I do a simple bind using the DN of the gMSA and the retrieved password, I get a error 49 - invalid credentials. I can verify that the password is correct, since I can c/p it and do a bind in MS LDP. The reason for base64 encoding the password was just to wrap it up in something when writing it to the std output stream from the C# application, and then of course I decode it after reading it from...
-
That is exactly the code I'm using in my C# application to get a hold of the msDS-ManagedPassword blob. I then run it into some other code to extract the password in clear text. It just looks like gibberish, but it's the password. I use the DSInternals module mentioned in this blog post: https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/#comment-119852 Even though I have the actual password, I've not been able to perform a successful bind from a java application...
-
The problem is this: I have retrieved the password of the gMSA that I'm trying to bind to, but every time I do a simple bind using the DN of the gMSA and the retrieved password, I get a error 49 - invalid credentials. I can verify that the password is correct, since I can c/p it and do a bind in MS LDP. The reason for base64 encoding the password was just to wrap it up in something when writing it to the std output stream from the C# application, and then of course I decode it after reading it from...
-
Did you get a chance to look at the code yet Jim? I did an experiment the other day, setting the same password as the gMSA on a normal user, and then tried binding to the user using my RuntimeExecPOC application, and it worked just fine. I'm beginning to think that it might just be a problem when using a gMSA. That you simply can't bind to it the normal way. It would be nice to find a solution for Java applications though. It doesn't feel right that this is something that you simply can't do in Java...
-
Thx for your fast reply Jim! I have posted two classes here: https://github.com/nsismartin/gMSA_bind_java/tree/main This is only the java side of the project. It reads the B64 encoded password from the output stream from a C# console application, decodes the password and tries to bind. Everything starts in the main method of the RuntimeExecPOC.java. Please let me know if you have any problems getting access to the code, or similar. /Martin
-
Thx for your reply Jim. I've tried going down this path, using a C# console application to retrieve the contents of the msDS-ManagedPassword attribute, and then extract the password from the byte blob. I then call this C# console application from a Java application using Runtime.exec(). I can verify that the password is correct, as I am able to authenticate using the sAMAccountName and a copy/paste of the password directly in the MS Ldap application on the server. I am however not able to make a...
-
Thx for your reply Jim. I've tried going down this path, using a C# console application to retrieve the contents of the msDS-ManagedPassword attribute, and then extract the password from the byte blob. I can verify that the password is correct, as I am able to authenticate using the sAMAccountName and a copy/paste of the password directly in the MS Ldap application on the server. I am however not able to make a bind using UnboundId LDAP SDK. I've tried various things without success. I'm using a...
-
Hi. I'm new with LDAP, and I'm having some problems binding/searching using a gMSA. I also can't find anything useful online about how to do this. We have some customers that want to change the account used for running services to a gMSA, so I have tried to create a connection only using the DN of the group managed service account. I've tried using LDAPConnectionOptions with setBindWithDNRequiresPassword=true, and then using a SimpleBindRequest with the gMSA DN and an empty password. The binding...
-
Hi. I'm new with LDAP, and I'm having some problems binding/searching using a gMSA. I also can't find anything useful online about how to do this. We have some customers that want to change the account used for running services to a gMSA, so I have tried to create a connection only using the DN of the group managed service account. I've tried using LDAPConnectionOptions with setBindWithDNRequiresPassword=true, and then using a SimpleBindRequest with the gMSA DN and an empty password. The binding...
1