Bug 11231 - Active Directory Web Services (ADWS) should be supported
Active Directory Web Services (ADWS) should be supported
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 enhancement
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2015-04-23 09:46 UTC by Björn Jacke
Modified: 2018-11-27 07:29 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2015-04-23 09:46:41 UTC
Active Directory Web Services (ADWS) is a kind of SOAP interface (?) to AD listening on port 9389. It exists since W2k8r2. It's required for the Power Shell AD module to work for example.



The Samba AD server should support that also.
Comment 1 Garming Sam 2018-10-17 08:58:53 UTC
(In reply to Björn Jacke from comment #0)

Just a heads up that I'm currently investigating this and have a proof-of-concept of receiving the decoded SOAP queries as plain XML (to be used by the server).
Comment 2 Stefan Metzmacher 2018-10-17 09:07:09 UTC
(In reply to Garming Sam from comment #1)

Do you have the code somewhere?
Do you have example capture you're able to share?

My wireshark tree at
can dissect the first few layers including decrypting.
Comment 3 Garming Sam 2018-10-17 09:33:31 UTC
I'll post some more detail later, but I discovered a convenient set of Python libraries that someone wrote for a MiTM proxy (and inserted some GENSEC code myself):


Protocol stack for the brave:

MC-NMFTB (MC-NMF TCP binding protocol)
MC-NMF (.NET framing protocol)
MS-NNS (.NET NegotiateStream protocol)

[GSSAPI wrapping]

MC-NBFX (.NET binary format)
MC-NBFS (.NET binary format for SOAP)
MC-NBFSE (.NET binary format extension for MC-NBFS for dictionary compression)

[SOAP unwrapping]

XML / SOAP (overview in MS-ADDM) belonging to one of the following:
- MS-WSDS (Directory extensions to WS-Enumeration)
- MS-WSPELD (LDAPv3 control support to WS-Transfer and WS-Enumeration)
- MS-WSTIM (Directory extensions to WS-Transfer)
- MS-ADCAP (Custom operations e.g. Change password)

WS-Transfer appears to implement stateless CRUD operations while WS-Enumeration has a stateful enumeration context for pulling.
Comment 4 Garming Sam 2018-10-17 09:40:22 UTC
While I was googling around, I also found:


I don't know if that's of any use to you or if you've seen it. One other thing I discovered is that you can dump the SOAP (more or less, you have to strip the outer XML wrapper and there's some additional internal threads it seems) by changing a config file on the ADWS server.

Comment 5 Garming Sam 2018-11-27 07:29:36 UTC
Successfully have AD Powershell commands accepting responses from our custom server. There's a lot of work to actually iron out all the details and actually polish the code, but Get-ADObject works on single objects and with a bit of fiddling with the server at runtime, we have Get-ADComputer successfully listing computers.

Will post PoC code soon - currently implements bits of WS-Transfer (GET), WS-Enumeration.

- Controls are ASN.1 encoded (and our Python bindings only handle string forms)
- Map the remaining LDAP attributes and investigate synthetic attributes
- Implementing Custom Actions

One other thing that isn't clear from the specification is how long the SOAP dictionary is meant to last for compression. It's also unclear how the client is meant to transition between endpoints and what the expectations are of the server.