| |
Port number rather than 389 -- But the server support NTLM |
|
|
Subject: Port number rather than 389 -- But the server support NTLM
Author: authen
In response to: Error might occur #2 -- Port number rather than 389
Posted on: 06/01/2009 08:03:24 PM
For the case of above, if the LDAP server supports NTLM. The the successful message will really trick you.
You will get, on the client side, the following message:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='clientNameRegisteredOnAD'; Pwd= <unavailable>; domain = 'MYCOMPANY.COM'.}
Authenticated as dn:'clientNameRegisteredOnAD'.
It seems that login process went through via Kerbose protocol. But on the server's side, the client 'clientNameRegisteredOnAD' was actually authenticated by NTLM Protocol.
>
> On 03/23/2009 05:33:38 PM authen wrote:
389 is default port number for LDAP protocol and the SPN honors this default settings also. But if the LDAP service is running on non-default number, let's say 3389, what's going to happen?
Server: myAD.myCompany.com
Port: 3389
Bind Function Type: Generic
Bind method: SSPI
Synchronous: checked
You will get, on the client side, the following error:
res = ldap_bind_s(ld, 'NULL', <unavailable>, 1158); // v.3
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: NTLM authentication protocol used instead but the server failed to support it.
For non-default port number, the LDAP service's SPN which has 389 as default was not identified while LDP.exe requesting the service ticket. So, the Kerberos protocol fails and the connection is established with a weaker security protocol -- NTLM.
Note: The above obseration is viewed under LDP+AD2003+JRE1.5.0_07. The latest AD and JRE1.6.x may have resolved this problem.
References:
|
|
|
|
