| |
Re: When and Why DIGEST-MD5 Authentication Does Not Work? |
|
|
Subject: Re: When and Why DIGEST-MD5 Authentication Does Not Work?
Author: komal_singh
In response to: When and Why DIGEST-MD5 Authentication Does Not Work?
Posted on: 10/15/2007 11:52:05 AM
Steve!!
You are a genius!!
I switched from JDK 1.6 to 1.5.0_11 and viola...everything worked!
So, is it safe to assume this won't work with 1.6, without some additonal ldap booster? Perhaps a bug in 1.6?
Anyway, I can't thank you enough for your time ....thank you thank you thank you!!!!! :)
Warm Regards,
Komal
>
> On 10/13/2007 06:25:57 PM SteveHB wrote:
Hi Komal,
Prior to addressing your issue (1), I am quite sure, from both your trails (2) and (3), that your AD is configured on an empty realm. It's Ok but it may fail for SOME clients to authenticate by DIGEST-MD5, NTLM, or GSSAPI, Kerberose, whenever there is a realm involved.
Here are how I figured out: Softerra lacks the ability (maybe a bug or maybe a predefined settings) to negotiate with server while handling DIGEST-MD5 protocol. After receiving Digest-Md5 type 2 message where server informed the client a list of realms the server can handle, the client should CHOSE one from the list and generate his challenge response based on the chosen realm. But Softerra is not able to do that, it can only pick up from user's input. For example, you would have to type in testuser@eyelitinc.local if your AD's realm were 'eyelitinc.local'. Otherwise, Softerra is going to fail. For that reason, your AD's realm is empty. This is further confirmed by your trail (2).
Now back to your issue (1), it's not related to your server yet. I can easily reproduce the your errors on my machine by:
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5-SASL"); // a fake mechanism
Notice that "DIGEST-MD5-SASL" is intentionally set as an unsupported mechanism. The output are as follows:
javax.naming.AuthenticationNotSupportedException: DIGEST-MD5-SASL
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:100)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
It's quite obvious that your JNDI library doesn't support "DIGEST-MD5". It has nothing to do with your server, your client has not reached this far yet.
Try to get another version of JRE or download the LDAP Booster Package ldapbp.jar. If everything goes right on your client side, you should at least see the DIGEST-MD5 Type 1 message like this:
-> 04Godzilla:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
Then, let me see if I can help you from there.
Good Luck,
Steve
References:
|
|
|
|
