0

I have a customer with LDAP that I can only log in with GSS-API enabled. He doesn't know how to enable simple authentication.

How can I enable this in MS ActiveDirectory?

Nati
  • 101
  • 1
  • 4
  • i'm sorry but : do you want to enable simple authentication in AD (to permit users to login both via kerberos/gssapi & simple auth), or do you want to give your customer the right ldap comment to use simple authentication ? (like with a ldapsearch -s ), thanks – olivierg May 29 '17 at 20:26

1 Answers1

1

To enable Simple auth for particular user do this: https://technet.microsoft.com/en-us/library/cc961961.aspx

"To disable preauthentication, right-click the User object in Active Directory Users and Computers. Click Properties , and then click the Account tab. In the Account options list, check Do not require Kerberos preauthentication"

Kos Trush
  • 11
  • 1
  • No. Kerberos pre-auth is a part of the kerberos protocol. Disabling it is orthogonal to the problem of not using kerberos at all. – 84104 Jun 22 '17 at 15:52
  • This config enables the client to use simple auth for exact user. By default it is prohibited, because simple auth does not have Kerberos preauthentication. – Kos Trush Jun 28 '17 at 11:00
  • 2
    Simple auth doesn't use kerberos *at all*. Kerberos preauth is an implementation detail of `SASL/GSSAPI` or `SASL/GSS-SPNEGO`. [Simple isn't even SASL](https://msdn.microsoft.com/en-us/library/cc223498.aspx). You can verify this by attempting a simple bind to an account with kerberos preauth disabled. Use caution however, as non-TLS wrapped communication will result in credentials being sent int the clear over the wire, which is why a [Group Policy](https://technet.microsoft.com/en-us/library/jj852234(v=ws.11).aspx) should be set to prohibit that particular issue. – 84104 Jun 28 '17 at 15:55