locked
CLDAP usage during user logon? RRS feed

  • Question

  • Hi All,

    Yesterday i was sniffing some packets during user logon. After machine boots up sucessfully and user logs on using username and password below steps are seen.

    1. 10.10.10.2               10.10.10.1 CLDAP searchRequest(11) "<ROOT>" baseObject

    2. 10.10.10.1               10.10.10.2 CLDAP searchResEntry(11) "<ROOT>" searchResDone(11) success  [1 result]

    3. 10.10.10.2              10.10.10.1     KRB5 AS-REQ

    4. 10.10.10.1              10.10.10.2     KRB5 AS-REP

    5. 10.10.10.2              10.10.10.1    KRB5 TGS-REQ

    6. 10.10.10.1               10.10.10.2   KRB5 TGS-REP

    7. 10.10.10.2               10.10.10.1    CLDAP searchRequest(12) "<ROOT>" baseObject

    8. 10.10.10.1               10.10.10.2   CLDAP searchResEntry(12) "<ROOT>" searchResDone(12) success  [1 result]

     

    can anyone please explain why am i getting cldap messages is it related to global catalog ? i can see that cldap has an attribute for netlogon.

    Note:

    user (XP) - 10.10.10.2  ; server (2003) - 10.10.10.1

    Kind Regards,

    Dhruv

    Sunday, July 25, 2010 10:48 AM

Answers

  • Q1. GC search use CLDAP or LDAP ?

    It uses CLDAP.

    Are 10.10.10.2 and 10.10.10.1 two DCs?

    Q2. CLDAP can be used without kerberos auth ?

    Kerberos authentication is required, so No, the session MUST be authenticated.

    More...

    Microsoft AD network communications uses CLDAP because since it uses UDP, UDP is more efficient and faster without the TCP overhead, as Malek indicated. Micosoft refers to it as an "AD Ping" but it's actually a RootDSE query for the Netlogon attribute used to communicate with DCs and GCs. CLDAP is based on RFC 1798.

    There isn't much info on CLDAP, since it's down to the development level on how the client communicates with an LDAP service and how a DC communicates with other DCs. There are security factors involved to protect the traffic since it uses Microsoft's RPC. You can see the development factors involved if you were a developer, in the MSDN search for "CLDAP" link below.

    Here's more info.

    MS-CLDAP
    http://wiki.wireshark.org/MS-CLDAP

    MSDN Search for CLDAP. It basically says it's used to establish an LDAP connectionless (using UDP) with AD.
    http://social.msdn.microsoft.com/Search/en-us?query=cldap

    [MS-ADTS]: Active Directory Technical Specification
    http://msdn.microsoft.com/en-us/library/cc223122(PROT.10).aspx

    There is a paper in PDF format that describes CLDAP that I read years ago, but I can't remember the specifics other than saying communications will use CLDAP  The PDF's old link doesn't work, but FYI here it is so you are aware of its existence:
    ftp://www6.software.ibm.com/software/developer/library/os-ltc-filesystems/Liguorifinal.pdf 

    More to add - The following is quoted from a person responding to someone else that was capturing traffic and saw the same thing you did. Basically to summarize, it's saying it's using CLDAP for the session.
    http://www.gossamer-threads.com/lists/ethereal/dev/62631
    "It's [CLDAP] using standard connectionless LDAP (RFC 1798) with some sneaky
    piggybacking of stuff on top of it, so it uses the standard LDAP
    dissector with some special code to detect the special stuff they added."

    More specifics:
    Scroll down to "DNS and CLDAP traffic"
    Active Directory and Network Protocol Traffic:
    http://www.hsc.fr/ressources/presentations/ad_proto_traffic/ad_proto_traffic_en.pdf


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Monday, July 26, 2010 4:01 AM
  • Hi Ace,

     

    Adding to my points, i got kerberos authentication packets at machine booting stage, does GC work on that authentication.

     

    Best Regards,

    Dhruv


    Hi Dhruv,

    Yes,  the machine client side extensions will query for a GC in its own AD Site. You should also capture DNS querry traffic along with CLDAP traffic. You will see in the timeline that it is querying first for _gc._msdcs.domain.com before Kerberos kicks in. It will connect to the GC first, then Kerberos authentication ensues after.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    • Marked as answer by Dhruv.tech Wednesday, July 28, 2010 3:45 AM
    Tuesday, July 27, 2010 3:19 PM
  • Hi Ace,

    I got the answer.. thanks.. as you mentioned in the previous reply : on microsoft website :

    Searching the Global Catalog vs. Searching the Domain

    The decision whether to search the Global Catalog or the domain is based on the scope of the search:

    • When the scope of a search is the domain or an organizational unit, the query can be resolved within the domain partition by using an LDAP search.

    • When the scope of a search is the forest, the query can be resolved within any partition by using a Global Catalog search.

    Because my machince is not the part of any forest only single domain it is not contacting GC, instead it is contacting DC. ...

    Finally i got the answer...

    Thanks a lot.. you have helped me a lot. you deserve a lunch from lunch from my side... will plan some day lol :-)

    Have a nice day..

    Regards,

    Dhruv

     

    Wednesday, July 28, 2010 4:03 AM

All replies

  • http://www.rfc-archive.org/getrfc.php?rfc=3352

    this link to the rfc might help..

    Regards,

    Dhruv

     

    Sunday, July 25, 2010 12:32 PM
  • Hello,

    CLDAP is UDP based ConnectionlessLDAP:

    http://technet.microsoft.com/en-us/library/cc961766.aspx

    http://msdn.microsoft.com/en-us/library/system.directoryservices.protocols.ldapdirectoryidentifier.connectionless(VS.90).aspx

    http://wiki.wireshark.org/MS-CLDAP


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, July 25, 2010 12:35 PM
  • Hello,

    CLDAP is UDP based ConnectionlessLDAP:

    http://technet.microsoft.com/en-us/library/cc961766.aspx

    http://msdn.microsoft.com/en-us/library/system.directoryservices.protocols.ldapdirectoryidentifier.connectionless(VS.90).aspx

    http://wiki.wireshark.org/MS-CLDAP


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Just to add to Meinolf's response, UDP allows the app to control the connection, rather than TCP to control the connection, which is why CLDAP uses UDP.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Sunday, July 25, 2010 4:05 PM
  • CLDAP is based on the use of the UDP encapsulation. The UDP is used when there is a need to transfer datas very quickly and the loss of some of these datas has no great importance. It is also used to transmit small amout of datas because it is faster than TCP.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    Sunday, July 25, 2010 8:37 PM
  •  

    Hi Ace nice to see you back.. and thanks Malek and Meinolf for posting the reply. Let me revise my question to you all, in my previous disscussion with Ace, i found that Global catalog is approched during user looging into the machhine ( after machine boots up). When i sniffed the packets i could find out cldap messages only and other kerberos auth.

    I know that only authenticated users from kerberos / NTLM can use LDAP. So let me frame the questions as ..

    Q1. GC search use CLDAP or LDAP ?

    I could not find any GC search packets in the wireshark sniffer..

    Q2. CLDAP can be used without kerberos auth ?

    Packets capture :

    1. 10.10.10.2               10.10.10.1 CLDAP searchRequest(11) "<ROOT>" baseObject

    2. 10.10.10.1               10.10.10.2 CLDAP searchResEntry(11) "<ROOT>" searchResDone(11) success  [1 result]

    3. 10.10.10.2              10.10.10.1     KRB5 AS-REQ

    4. 10.10.10.1              10.10.10.2     KRB5 AS-REP

    5. 10.10.10.2              10.10.10.1    KRB5 TGS-REQ

    6. 10.10.10.1               10.10.10.2   KRB5 TGS-REP

    7. 10.10.10.2               10.10.10.1    CLDAP searchRequest(12) "<ROOT>" baseObject

    8. 10.10.10.1               10.10.10.2   CLDAP searchResEntry(12) "<ROOT>" searchResDone(12) success  [1 result]

    Monday, July 26, 2010 1:26 AM
  • Q1. GC search use CLDAP or LDAP ?

    It uses CLDAP.

    Are 10.10.10.2 and 10.10.10.1 two DCs?

    Q2. CLDAP can be used without kerberos auth ?

    Kerberos authentication is required, so No, the session MUST be authenticated.

    More...

    Microsoft AD network communications uses CLDAP because since it uses UDP, UDP is more efficient and faster without the TCP overhead, as Malek indicated. Micosoft refers to it as an "AD Ping" but it's actually a RootDSE query for the Netlogon attribute used to communicate with DCs and GCs. CLDAP is based on RFC 1798.

    There isn't much info on CLDAP, since it's down to the development level on how the client communicates with an LDAP service and how a DC communicates with other DCs. There are security factors involved to protect the traffic since it uses Microsoft's RPC. You can see the development factors involved if you were a developer, in the MSDN search for "CLDAP" link below.

    Here's more info.

    MS-CLDAP
    http://wiki.wireshark.org/MS-CLDAP

    MSDN Search for CLDAP. It basically says it's used to establish an LDAP connectionless (using UDP) with AD.
    http://social.msdn.microsoft.com/Search/en-us?query=cldap

    [MS-ADTS]: Active Directory Technical Specification
    http://msdn.microsoft.com/en-us/library/cc223122(PROT.10).aspx

    There is a paper in PDF format that describes CLDAP that I read years ago, but I can't remember the specifics other than saying communications will use CLDAP  The PDF's old link doesn't work, but FYI here it is so you are aware of its existence:
    ftp://www6.software.ibm.com/software/developer/library/os-ltc-filesystems/Liguorifinal.pdf 

    More to add - The following is quoted from a person responding to someone else that was capturing traffic and saw the same thing you did. Basically to summarize, it's saying it's using CLDAP for the session.
    http://www.gossamer-threads.com/lists/ethereal/dev/62631
    "It's [CLDAP] using standard connectionless LDAP (RFC 1798) with some sneaky
    piggybacking of stuff on top of it, so it uses the standard LDAP
    dissector with some special code to detect the special stuff they added."

    More specifics:
    Scroll down to "DNS and CLDAP traffic"
    Active Directory and Network Protocol Traffic:
    http://www.hsc.fr/ressources/presentations/ad_proto_traffic/ad_proto_traffic_en.pdf


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Monday, July 26, 2010 4:01 AM
  • Hi Ace,

    Thanks for the answer, if you remember we talk in last string about GC,these packets i received when client join the the domain (after machine boots up).

    I presume this is a GC search. If my assumption is true then i should find kerberos authentication before these packets right ?

     

    1. 10.10.10.2               10.10.10.1 CLDAP searchRequest(11) "<ROOT>" baseObject

    2. 10.10.10.1               10.10.10.2 CLDAP searchResEntry (11) "<ROOT>" searchResDone(11) success  [1 result]

     

    Thanks again for your support.  :-)

     

    Kind Regards,

    Dhruv Sharma

    Tuesday, July 27, 2010 8:44 AM
  • Hi Ace,

     

    Adding to my points, i got kerberos authentication packets at machine booting stage, does GC work on that authentication.

     

    Best Regards,

    Dhruv

    Tuesday, July 27, 2010 8:46 AM
  • Hi Ace,

     

    Adding to my points, i got kerberos authentication packets at machine booting stage, does GC work on that authentication.

     

    Best Regards,

    Dhruv


    Hi Dhruv,

    Yes,  the machine client side extensions will query for a GC in its own AD Site. You should also capture DNS querry traffic along with CLDAP traffic. You will see in the timeline that it is querying first for _gc._msdcs.domain.com before Kerberos kicks in. It will connect to the GC first, then Kerberos authentication ensues after.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    • Marked as answer by Dhruv.tech Wednesday, July 28, 2010 3:45 AM
    Tuesday, July 27, 2010 3:19 PM
  • Hi Ace,

    I got the answer.. thanks.. as you mentioned in the previous reply : on microsoft website :

    Searching the Global Catalog vs. Searching the Domain

    The decision whether to search the Global Catalog or the domain is based on the scope of the search:

    • When the scope of a search is the domain or an organizational unit, the query can be resolved within the domain partition by using an LDAP search.

    • When the scope of a search is the forest, the query can be resolved within any partition by using a Global Catalog search.

    Because my machince is not the part of any forest only single domain it is not contacting GC, instead it is contacting DC. ...

    Finally i got the answer...

    Thanks a lot.. you have helped me a lot. you deserve a lunch from lunch from my side... will plan some day lol :-)

    Have a nice day..

    Regards,

    Dhruv

     

    Wednesday, July 28, 2010 4:03 AM
  • Hi Ace,

    I got the answer.. thanks.. as you mentioned in the previous reply : on microsoft website :

    Searching the Global Catalog vs. Searching the Domain

    The decision whether to search the Global Catalog or the domain is based on the scope of the search:

    • When the scope of a search is the domain or an organizational unit, the query can be resolved within the domain partition by using an LDAP search.

    • When the scope of a search is the forest, the query can be resolved within any partition by using a Global Catalog search.

    Because my machince is not the part of any forest only single domain it is not contacting GC, instead it is contacting DC. ...

    Finally i got the answer...

    Thanks a lot.. you have helped me a lot. you deserve a lunch from lunch from my side... will plan some day lol :-)

    Have a nice day..

    Regards,

    Dhruv

     


    No problem, Dhruv! Lunch is not necessary, but I do appreciate the offer.

    I also marked your post as Propose As Answer, because you've posted some excellent info on the differences between a GC and DC query.

    Cheers!

    Ace

    Forgot to add: Interesting how it doesn't mention CLDAP, rather just LDAP, but looking at the captures, you can see they are CLDAP requests. - Cheers!

    Late addition #2: The only exception to the single domain forest not using a GC is Exchange. Exchange heavily uses a GC, whether a single domain forest or multiple domain forest. That is how the GAL is assembled.


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    • Edited by Ace Fekay [MCT] Wednesday, July 28, 2010 4:47 AM Two changes, please see above
    Wednesday, July 28, 2010 4:42 AM