computer account change password with Windows 2008 domain

Russ Allbery rra at stanford.edu
Wed Jan 7 15:03:32 EST 2009


"Michael B Allen" <ioplex at gmail.com> writes:

> Do you know if works when SASL confidentiality is used instead of TLS?

It does not.  Microsoft's LDAP implementation requires TLS in order to
view or change the password attribute.  I don't know of any technical
reason why SASL confidentiality wouldn't be sufficient (provided the
negotiated strength were high enough), but their implementation doesn't
appear to support this.

> Is there any method that works at all?

> I'm sure a lot of people would like know exactly what privacy
> establishment methods allow you to set unicodePwd over LDAP.

Under Windows 2008, so far as I can determine, the only supported way to
set unicodePwd over LDAP is to use password binds with TLS.  I don't
believe this is intentional -- Microsoft acknowledges that it's a bug
rather than a design intention -- but as long as the bug is present, it
amounts to the same thing.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list