go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Port number rather than 389 -- But the server support NTLM
 
Subject: Port number rather than 389 -- But the server support NTLM
Author: authen
In response to: Error might occur #2 -- Port number rather than 389
Posted on: 06/01/2009 08:03:24 PM

For the case of above, if the LDAP server supports NTLM. The the successful message will really trick you.

You will get, on the client side, the following message:

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='clientNameRegisteredOnAD'; Pwd= <unavailable>; domain = 'MYCOMPANY.COM'.}
Authenticated as dn:'clientNameRegisteredOnAD'.


It seems that login process went through via Kerbose protocol. But on the server's side, the client 'clientNameRegisteredOnAD' was actually authenticated by NTLM Protocol.



 

> On 03/23/2009 05:33:38 PM authen wrote:


389 is default port number for LDAP protocol and the SPN honors this default settings also. But if the LDAP service is running on non-default number, let's say 3389, what's going to happen?


Server: myAD.myCompany.com
Port: 3389

Bind Function Type: Generic
Bind method: SSPI
Synchronous: checked

You will get, on the client side, the following error:

res = ldap_bind_s(ld, 'NULL', <unavailable>, 1158); // v.3
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: NTLM authentication protocol used instead but the server failed to support it.


For non-default port number, the LDAP service's SPN which has 389 as default was not identified while LDP.exe requesting the service ticket. So, the Kerberos protocol fails and the connection is established with a weaker security protocol -- NTLM.


Note: The above obseration is viewed under LDP+AD2003+JRE1.5.0_07. The latest AD and JRE1.6.x may have resolved this problem.







References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.