go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  i am unable to connect to the AD 2003
 
Subject: i am unable to connect to the AD 2003
Author: kishore.jv
In response to: When and Why DIGEST-MD5 Authentication Does Not Work?
Posted on: 01/29/2008 01:39:01 AM

        env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
        env.put( Context.PROVIDER_URL, "ldap://iemqdc:389");
        env.put( Context.SECURITY_PRINCIPAL, userName );
        env.put( Context.SECURITY_CREDENTIALS, password );
        env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
         env.put("com.sun.jndi.ldap.trace.ber", System.err);

-> iemqdc:389

0000: 30 18 02 01 01 60 13 02   01 03 04 00 A3 0C 04 0A  0....`..........
0010: 44 49 47 45 53 54 2D 4D   44 35                    DIGEST-MD5


<- iemqdc:389

0000: 30 84 00 00 00 DF 02 01   01 61 84 00 00 00 D6 0A  0........a......
0010: 01 0E 04 00 04 00 87 82   00 CB 71 6F 70 3D 22 61  ..........qop="a
0020: 75 74 68 2C 61 75 74 68   2D 69 6E 74 2C 61 75 74  uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C   63 69 70 68 65 72 3D 22  h-conf",cipher="
0040: 33 64 65 73 2C 64 65 73   2C 72 63 34 2D 34 30 2C  3des,des,rc4-40,
0050: 72 63 34 2C 72 63 34 2D   35 36 22 2C 61 6C 67 6F  rc4,rc4-56",algo
0060: 72 69 74 68 6D 3D 6D 64   35 2D 73 65 73 73 2C 6E  rithm=md5-sess,n
0070: 6F 6E 63 65 3D 22 39 32   38 32 35 66 31 65 34 31  once="92825f1e41
0080: 36 32 63 38 30 31 66 62   61 61 30 31 33 62 32 64  62c801fbaa013b2d
0090: 37 30 31 64 30 64 64 35   38 31 61 37 35 66 33 36  701d0dd581a75f36
00A0: 33 30 62 61 30 34 30 37   30 37 32 65 65 66 38 35  30ba0407072eef85
00B0: 36 34 39 63 39 64 38 36   36 64 39 39 64 65 37 62  649c9d866d99de7b
00C0: 35 37 38 38 63 62 22 2C   63 68 61 72 73 65 74 3D  5788cb",charset=
00D0: 75 74 66 2D 38 2C 72 65   61 6C 6D 3D 22 69 65 6D  utf-8,realm="iem
00E0: 71 2E 61 65 22                                     q.ae"


-> iemqdc:389

0000: 30 82 01 46 02 01 02 60   82 01 3F 02 01 03 04 00  0..F...`..?.....
0010: A3 82 01 36 04 0A 44 49   47 45 53 54 2D 4D 44 35  ...6..DIGEST-MD5
0020: 04 82 01 26 63 68 61 72   73 65 74 3D 75 74 66 2D  ...&charset=utf-
0030: 38 2C 75 73 65 72 6E 61   6D 65 3D 22 41 64 6D 69  8,username="Admi
0040: 6E 69 73 74 72 61 74 6F   72 22 2C 72 65 61 6C 6D  nistrator",realm
0050: 3D 22 69 65 6D 71 2E 61   65 22 2C 6E 6F 6E 63 65  ="iemq.ae",nonce
0060: 3D 22 39 32 38 32 35 66   31 65 34 31 36 32 63 38  ="92825f1e4162c8
0070: 30 31 66 62 61 61 30 31   33 62 32 64 37 30 31 64  01fbaa013b2d701d
0080: 30 64 64 35 38 31 61 37   35 66 33 36 33 30 62 61  0dd581a75f3630ba
0090: 30 34 30 37 30 37 32 65   65 66 38 35 36 34 39 63  0407072eef85649c
00A0: 39 64 38 36 36 64 39 39   64 65 37 62 35 37 38 38  9d866d99de7b5788
00B0: 63 62 22 2C 6E 63 3D 30   30 30 30 30 30 30 31 2C  cb",nc=00000001,
00C0: 63 6E 6F 6E 63 65 3D 22   48 70 4D 6A 42 31 78 4E  cnonce="HpMjB1xN
00D0: 57 65 6B 69 4B 6E 31 59   34 61 58 6D 47 62 7A 46  WekiKn1Y4aXmGbzF
00E0: 32 34 6A 2B 6F 44 44 44   6A 78 72 47 78 72 70 66  24j+oDDDjxrGxrpf
00F0: 22 2C 64 69 67 65 73 74   2D 75 72 69 3D 22 6C 64  ",digest-uri="ld
0100: 61 70 2F 69 65 6D 71 64   63 22 2C 6D 61 78 62 75  ap/iemqdc",maxbu
0110: 66 3D 36 35 35 33 36 2C   72 65 73 70 6F 6E 73 65  f=65536,response
0120: 3D 65 36 36 31 31 61 39   37 34 64 64 64 34 62 39  =e6611a974ddd4b9
0130: 39 36 62 61 38 62 64 35   65 37 64 32 66 65 65 63  96ba8bd5e7d2feec
0140: 32 2C 71 6F 70 3D 61 75   74 68                    2,qop=auth


<- iemqdc:389

0000: 30 84 00 00 00 65 02 01   02 61 84 00 00 00 5C 0A  0....e...a....\.
0010: 01 31 04 00 04 55 38 30   30 39 30 33 30 43 3A 20  .1...U8009030C: 
0020: 4C 64 61 70 45 72 72 3A   20 44 53 49 44 2D 30 43  LdapErr: DSID-0C
0030: 30 39 30 34 33 45 2C 20   63 6F 6D 6D 65 6E 74 3A  09043E, comment:
0040: 20 41 63 63 65 70 74 53   65 63 75 72 69 74 79 43   AcceptSecurityC
0050: 6F 6E 74 65 78 74 20 65   72 72 6F 72 2C 20 64 61  ontext error, da
0060: 74 61 20 30 2C 20 76 65   63 65 00                 ta 0, vece.

javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C:
LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece

 

> On 10/13/2007 06:25:57 PM SteveHB wrote:
Hi Komal,


Prior to addressing your issue (1), I am quite sure, from both your trails (2) and (3), that your AD is configured on an empty realm. It's Ok but it may fail for SOME clients to authenticate by DIGEST-MD5, NTLM, or GSSAPI, Kerberose, whenever there is a realm involved.

Here are how I figured out: Softerra lacks the ability (maybe a bug or maybe a predefined settings) to negotiate with server while handling DIGEST-MD5 protocol. After receiving Digest-Md5 type 2 message where server informed the client a list of realms the server can handle, the client should CHOSE one from the list and generate his challenge response based on the chosen realm. But Softerra is not able to do that, it can only pick up from user's input. For example, you would have to type in testuser@eyelitinc.local if your AD's realm were 'eyelitinc.local'. Otherwise, Softerra is going to fail. For that reason, your AD's realm is empty. This is further confirmed by your trail (2).

Now back to your issue (1), it's not related to your server yet. I can easily reproduce the your errors on my machine by:
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5-SASL"); // a fake mechanism


Notice that "DIGEST-MD5-SASL" is intentionally set as an unsupported mechanism. The output are as follows:

javax.naming.AuthenticationNotSupportedException: DIGEST-MD5-SASL
	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:100)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
	at javax.naming.InitialContext.init(InitialContext.java:223)
	at javax.naming.InitialContext.<init>(InitialContext.java:197)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)

It's quite obvious that your JNDI library doesn't support "DIGEST-MD5". It has nothing to do with your server, your client has not reached this far yet.
Try to get another version of JRE or download the LDAP Booster Package ldapbp.jar. If everything goes right on your client side, you should at least see the DIGEST-MD5 Type 1 message like this:

-> 04Godzilla:389

0000: 30 18 02 01 01 60 13 02   01 03 04 00 A3 0C 04 0A  0....`..........
0010: 44 49 47 45 53 54 2D 4D   44 35                    DIGEST-MD5


Then, let me see if I can help you from there.

Good Luck,
Steve


References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.