v0.5.0

• dcerpcauth: Added option to disable the SPNEGO authentication layer and use raw NTLM/Kerberos
• othername: This package was removed in favor of x509ext
• x509ext: This package contains Windows-specific x509 certificate extensions. It includes the code from othername (with slightly updated names) as well as a new encoder/decoder for NTDS_CA_SECURITY_EXT extension which holds SIDs
• adauth: Fix context being ignored for some DNS queries

Warning: This release contains breaking changes as the othername package was removed in favor of the new x509ext package. The new package contains all types and functions from othername, however, the names differ slightly.

v0.4.1

• dcerpc: Fix CCache authentication
• CCache: Allow using service tickets with alternate protocol
• Improve Kerberos compatibility with older domains

v0.4.0

• ldapauth: Simple binds without password are now possible (unauthenticated bind). However, an empty password has to be specified with -p '' to signal the intent for an unauthenticated bind.
• ldapauth: NTLM authentication for plain LDAP server was fixed.
• adauth: Updated Credentials.UPN() behavior: For credentials without a domain, .UPN() will now only return the username. For empty credentials, it will now return an empty string. This behavior should help with using adauth with non-Microsoft targets such as OpenLDAP.
• adauth: Client certificates can now have arbitrary private key types. Previously, RSA keys were required because some AD features only support RSA keys. For PKINIT, the key type now needs to be checked by the user like this:

rsaKey, ok := creds.ClientCertKey.(*rsa.PrivateKey)
!ok {
    return fmt.Errorf("cannot use %T because PKINIT requires an RSA key", creds.ClientCertKey)
}

v0.3.0

• Fixed issues with AES-key-based Kerberos authentication for accounts whose password was changed
• Fixed Kerberos dialer not being used for smbauth
• Use specified domain for LDAP NTLM authentication instead of the target-supplied domain to improve compatibility with the LDAP SOCKS server of Impacket's ntlmrelayx.py example
• Removed credentials.Keytab() since it is not reliable due to potential KVNO mismatches and it is not used in adauth anymore

v0.2.2

• ldapauth: Fix incompatibility with newer versions of https://github.dev/go-ldap/ldap
• ldapauth: Fix issues with ntlmrelayx.py's LDAP SOCKS5 server

v0.2.1

• Overhauled dialer handling
• Added SOCKS5 dialer helpers
• Added SOCKS5 options to all examples

v0.2.0

• Added smbauth (thanks @bryanmcnulty)
• Added custom dialer support for LDAP

v0.1.1

• ldapauth: Added support for custom Kerebros dialer
• Fixed compatibility with go-msrpc
• Adjusted behavior of target.UseKerberos in conjunction with client certificates

v0.1.0

This is the initial release of the Active Directory authentication library adauth. In addition to the library's core functionality -- handling of authentication options -- it already includes authentication helpers for DCERPC and LDAP as well as implementations for the Kerberos PKINIT extension, UnPAC-the-Hash, the othername SAN extension for UPNs and CCache initialization and serialization.

Warning: Please note that this library's API is not yet stable as of v0.1.0. This means that the library may experience breaking changes between minor versions.