| |
Digest-MD5 authentication does not work with JNDI and AD ? |
|
|
Subject: Digest-MD5 authentication does not work with JNDI and AD ?
Author: komal_singh
In response to: Scenarios Where DIGEST-MD5 Works or NOT Work -- Active Directory 2003
Posted on: 10/01/2007 11:33:58 AM
Thanks for this great posting!
However, even after following all the highlighted steps, I can't get ldap connectivity with Digest-MD5 going.
I have this working for annonymous, simple, and SSL .
Here is my config:
Server: AD 2003
Client: JNDI + JDK 1.6
User: cn=testuser,cn=users,dc=eyelitinc,dc=local
Password: test
Here is the relevant code:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, serviceProvider);
env.put(Context.PROVIDER_URL, "ldap://04Godzilla:389");
// Also tried with testuser@eyelitinc.local
env.put(Context.SECURITY_PRINCIPAL, "testuser");
env.put(Context.SECURITY_CREDENTIALS, "test");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
InitialDirContext ctx = new InitialDirContext(env);
I always get the error: javax.naming.AuthenticationNotSupportedException:DIGEST-MD5
I have queried the AD, using the following, to see if Digest-MD5 is supported, and it is:
Attributes attrs = ctx.getAttributes(fullUrl, new String[]{"supportedSASLMechanisms"});
Note: In the AD I have also checked the box for "use reversible encryption", and reset the password.
I WOULD GREATLY APPRECIATE ANY HELP!
Thanks ahead!
>
> On 07/27/2006 01:39:38 PM SteveHB wrote:
Basic Settings
---------------
Server: AD 2003
Client: JNDI application
User: cn=testuser,cn=users,dc=mydomain,dc=com
Realm: MYREALM
Passwd: (password stored in hash format)
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser");
The following settings dose NOT works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "MYREAM\\testuser");
The following settings dose NOT works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser@mydomain.com");
Conclusions:
Microsoft has noticed the serious security risk to store password in reversible encryption as required by AD 2000. For this reason, AD 2003 comes with a 'better' solution -- Advanced Digest Mechanism, which stores user credentials as an MD5 hash . Advanced Digest authentication does not require that credentials are stored using reversible encryption. Instead, Advanced Digest authentication stores a few precalculated hashes in Active Directory, so user passwords cannot feasibly be discovered by anyone with access to the domain controller, including the domain administrator.
As an MD5 hash contains a user name, password, and the name of the realm, specified in RFC as H( { username-value, ":", realm-value, ":", passwd } ), if server stores this kind of hashed info rather than the reversible one, server has very limited flexibility to calculate client's hash for comparison. That's why the minor variation of usename, "MYREAM\\testuser" or "testuser@mydomain.com" would fail (remembering they are working for AD 2000). That sucks in terms of flexibility on client side.
References:
|
|
|
|
