Subject: Re: When and Why DIGEST-MD5 Authentication Does Not Work?
Author: SteveHB
In response to: When and Why DIGEST-MD5 Authentication Does Not Work?
Posted on: 10/13/2007 06:25:57 PM
Hi Komal,
Prior to addressing your issue (1), I am quite sure, from both your trails (2) and (3), that your AD is configured on an empty realm. It's Ok but it may fail for SOME clients to authenticate by DIGEST-MD5, NTLM, or GSSAPI, Kerberose, whenever there is a realm involved.
Here are how I figured out: Softerra lacks the ability (maybe a bug or maybe a predefined settings) to negotiate with server while handling DIGEST-MD5 protocol. After receiving Digest-Md5 type 2 message where server informed the client a list of realms the server can handle, the client should CHOSE one from the list and generate his challenge response based on the chosen realm. But Softerra is not able to do that, it can only pick up from user's input. For example, you would have to type in testuser@eyelitinc.local if your AD's realm were 'eyelitinc.local'. Otherwise, Softerra is going to fail. For that reason, your AD's realm is empty. This is further confirmed by your trail (2).
Now back to your issue (1), it's not related to your server yet. I can easily reproduce the your errors on my machine by:
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5-SASL"); // a fake mechanism
Notice that "DIGEST-MD5-SASL" is intentionally set as an unsupported mechanism. The output are as follows:
javax.naming.AuthenticationNotSupportedException: DIGEST-MD5-SASL
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:100)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
It's quite obvious that your JNDI library doesn't support "DIGEST-MD5". It has nothing to do with your server, your client has not reached this far yet.
Try to get another version of JRE or download the LDAP Booster Package
ldapbp.jar. If everything goes right on your client side, you should at least see the DIGEST-MD5 Type 1 message like this:
-> 04Godzilla:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
Then, let me see if I can help you from there.
Good Luck,
Steve
>
> On 10/11/2007 05:48:09 PM
komal_singh wrote:
Hi Steve,
Thank you so very much for offering to help !!
(1) Here is the detailed stack trace with "env.put("com.sun.jndi.ldap.trace.ber", System.err);", which incidentally is the same with its absence.
ERROR: 20071011 174401 @05tiger [RMI Runtime: Thread-44] com.eyelit.trans.TransLDAP
javax.naming.AuthenticationNotSupportedException:DIGEST-MD5
Java version 1.6.0_01 from Sun Microsystems Inc. on Windows XP 5.1 CPU x86
javax.naming.AuthenticationNotSupportedException: DIGEST-MD5
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at com.eyelit.trans.TransLDAP.establishConnection(TransLDAP.java:173)
at com.eyelit.trans.TransLDAP.executeCommand(TransLDAP.java:81)
at com.eyelit.trans.Trans$ExecutionThread.run(Trans.java:1594)
(2) I also tried changing the URL to "ldap://04Godzilla.eyelitinc.local:389". However, this produces the following error:
javax.naming.CommunicationException: 04Godzilla.eyelitinc.local:389
[Root exception is java.net.UnknownHostException: 04Godzilla.eyelitinc.local]
at com.sun.jndi.ldap.C
onnection.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown S
ource)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at c
om.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown
Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at
com.eyelit.trans.TransLDAP.establishConnection(TransLDAP.java:170)
at com.eyelit.trans.TransLDAP.executeCommand(TransLDAP.java:81)
at com.eyelit.trans.Trans$ExecutionThread.run(Trans.java:1594)
C
aused by: java.net.UnknownHostException: 04Godzilla.eyelitinc.local
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.con
nect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket
(Unknown Source)
... 16 more
(3) I tried using Digest-MD5 with a popular LDAP browser - Softerra - and it worked. So I'm guessing the problem in on the JNDI side, not the AD.
AGAIN, I GREATLY APPRECIATE YOUR REPLY !
References:
