| Author |
Topic: When and Why DIGEST-MD5 Authentication Does Not Work? |
|
SteveHB
member
offline  |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
 |
|
|
| When and Why DIGEST-MD5 Authentication Does Not Work? |
The Digest-MD5 mechanism is described in RFC 2831. In Digest-MD5, the LDAP server sends data that includes various authentication options that it is willing to support plus a special token to the LDAP client. The client responds by sending an encrypted response that indicates the authentication options that it has selected. The response is encrypted in such a way that proves that the client knows its password. The LDAP server then verifies the client's response.
As it can be seen, the major advantages of DIGEST-MD5 are:
1) prevent user password being sent across the Internet via clear text;
2) provide message integrity and confidentiality protection, after authentication
Apparently, the disadvantages are not trivial:
Digest authentication requires that the authenticating agent (usually the server) store some data derived from the user's password in certain forms to be able to retrieve the value of:
H({ username-value,":", realm-value, ":", passwd }).
without directly exposing the user's password. This is the source of why DIGEST-MD5 does not work for a lot of cases. (discussed later)
The following example shows how a client performs authentication using Digest-MD5 to an LDAP server.
/**
*
* SaslDigestMD5JndiClient.java
* Sample code to explore how and when DIGEST-MD5 authentication works.
*
*/
import java.util.Hashtable;
import javax.naming.directory.*;
import javax.naming.*;
public class SaslDigestMD5JndiClient
{
public static void main (String[] args)
{
String bind_dn = "testuser";
String bind_password = "secret";
String init_url = "ldap://myserver.mydomain.com:389";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, init_url);
// Set the authentication mechanism to be DIGEST-MD5
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, bind_dn);
env.put(Context.SECURITY_CREDENTIALS, bind_password);
/*
* other environment properties are:
* javax.security.sasl.qop:
* specifies list of qops: "auth", "auth-int", "auth-conf"
* auth -- authentication only;
* auth-int -- authentication & subsequent message's integrity check
* auth-conf -- authentication & subsequent message's
* confidentiality enforcement
* default is "auth"
* env.put("javax.security.sasl.qop", "auth");
* javax.security.sasl.strength
* specifies low/medium/high strength of encryption;
* default is all available ciphers [high,medium,low];
* high means des3 or rc4 (128); medium des or rc4-56; low is rc4-40.
* env.put("javax.security.sasl.strength","high");
* javax.security.sasl.maxbuf
* specifies max receive buf size; default is 65536
* javax.security.sasl.sendmaxbuffer
* specifies max send buf size; default is 65536
*/
DirContext ctx = null;
try {
// Create the initial directory context
ctx = new InitialDirContext(env);
} catch (Exception e) {
System.err.println("Authentication failed: " + e);
}
try{
// Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
//Specify the Base for the search
String searchBase = "dc=mydomain,dc=com";
// Search for objects using the filter
NamingEnumeration results = ctx.search(searchBase,searchFilter,searchCtls);
//Loop through the search results
while (results.hasMoreElements()) {
SearchResult sr = (SearchResult)results.next();
System.out.println("dn: " + sr.getName());
Attributes attrs = sr.getAttributes();
System.out.println("attributes: " + attrs);
}
ctx.close();
} catch (NamingException e) {
System.err.println("Searching failed: " + e);
}
}
}
The above code has been testet against SunONE and Active Directory, testing scenarios will be discussed in very details but the failed outputs are very much the same like:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
|
|
|
|
|
|
|
SteveHB
member
offline  |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Scenarios Where DIGEST-MD5 Works or NOT Work -- SunONE: |
Basic Settings
---------------
Server: SunONE
Client: JNDI application
User: cn=testuser,cn=users,dc=mydomain,dc=com
Passwd: secret *[see note below]
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "u:testuser");
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL,
"dn:cn=testuser,cn=users,dc=mydomain,dc=com");
The following settings dose NOT work
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "u:testuser");
env.put("javax.security.sasl.qop", "auth-int");
The following settings dose NOT work
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "u:testuser");
env.put("javax.security.sasl.qop", "auth-conf");
Conclusions:
For SunONE to work with DIGEST-MD5, client's password must be stored in clear text. Ouch, this really sucks and I don't think any administartor want to risk that much to simply support MD5.
SunONE dose not support message integrity and confidentiality protection yet.
Note: (here is what java.sun.com says for itself)
"The SunONE Directory Server, v5 supports the Digest-MD5 authentication mechanism for users that have clear-text passwords. You must set the password encryption mode before you create the user. If you have already created the user, delete it and recreate it. To set the password encryption mode using the Administration Console, select the Configuration tab and the Data node. In the Passwords pane, select the "No encryption (CLEAR)" option for "Password encryption." The server accepts simple user names (that is, the value of the "uid" attribute for entries that have one) and the "dn:" format of user names. See the server's documentation for detailed information"
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Scenarios Where DIGEST-MD5 Works or NOT Work -- Active Directory 2000 |
Basic Settings
---------------
Server: AD 2000
Client: JNDI application
User: cn=testuser,cn=users,dc=mydomain,dc=com
Realm: MYREALM
Passwd: secret *[see note below]
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser");
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "MYREAM\\testuser");
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser@mydomain.com");
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser@mydomain.com");
env.put("javax.security.sasl.qop", "auth-conf");
The following settings dose NOT work
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL,
"cn=testuser,cn=users,dc=mydomain,dc=com");
The following settings dose NOT work
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "u:testuser");
The following settings dose NOT work
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL,
"dn:cn=testuser,cn=users,dc=mydomain,dc=com");
Conclusions:
For DIGEST-MD5 to work on AD 2000, client's password must be stored using reversible encryption so that the authentication agent (AD) can retrieve the password in clear text and then calculate the hash H(). Compared to SunOne, AD 2000 is doing much better, but still faces the important security consequence.
Active Directory supports message integrity and confidentiality protection, as suggested in RFC 2831.
Active Directory does not support distinguished name.
Active Directory does not support the 'u:' or 'dn:' notation, as described in Sun.
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Scenarios Where DIGEST-MD5 Works or NOT Work -- Active Directory 2003 |
Basic Settings
---------------
Server: AD 2003
Client: JNDI application
User: cn=testuser,cn=users,dc=mydomain,dc=com
Realm: MYREALM
Passwd: (password stored in hash format)
The following settings works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser");
The following settings dose NOT works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "MYREAM\\testuser");
The following settings dose NOT works
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "testuser@mydomain.com");
Conclusions:
Microsoft has noticed the serious security risk to store password in reversible encryption as required by AD 2000. For this reason, AD 2003 comes with a 'better' solution -- Advanced Digest Mechanism, which stores user credentials as an MD5 hash . Advanced Digest authentication does not require that credentials are stored using reversible encryption. Instead, Advanced Digest authentication stores a few precalculated hashes in Active Directory, so user passwords cannot feasibly be discovered by anyone with access to the domain controller, including the domain administrator.
As an MD5 hash contains a user name, password, and the name of the realm, specified in RFC as H( { username-value, ":", realm-value, ":", passwd } ), if server stores this kind of hashed info rather than the reversible one, server has very limited flexibility to calculate client's hash for comparison. That's why the minor variation of usename, "MYREAM\\testuser" or "testuser@mydomain.com" would fail (remembering they are working for AD 2000). That sucks in terms of flexibility on client side.
|
|
|
|
|
|
|
komal_singh
member
offline |
| |
| posts: |
2 |
| joined: |
10/01/2007 |
| from: |
Toronto, ON |
|
|
|
|
|
| Digest-MD5 authentication does not work with JNDI and AD ? |
Thanks for this great posting!
However, even after following all the highlighted steps, I can't get ldap connectivity with Digest-MD5 going.
I have this working for annonymous, simple, and SSL .
Here is my config:
Server: AD 2003
Client: JNDI + JDK 1.6
User: cn=testuser,cn=users,dc=eyelitinc,dc=local
Password: test
Here is the relevant code:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, serviceProvider);
env.put(Context.PROVIDER_URL, "ldap://04Godzilla:389");
// Also tried with testuser@eyelitinc.local
env.put(Context.SECURITY_PRINCIPAL, "testuser");
env.put(Context.SECURITY_CREDENTIALS, "test");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
InitialDirContext ctx = new InitialDirContext(env);
I always get the error: javax.naming.AuthenticationNotSupportedException:DIGEST-MD5
I have queried the AD, using the following, to see if Digest-MD5 is supported, and it is:
Attributes attrs = ctx.getAttributes(fullUrl, new String[]{"supportedSASLMechanisms"});
Note: In the AD I have also checked the box for "use reversible encryption", and reset the password.
I WOULD GREATLY APPRECIATE ANY HELP!
Thanks ahead! |
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
|
My first guess is that your server name:
env.put(Context.PROVIDER_URL, "ldap://04Godzilla:389");
should be
env.put(Context.PROVIDER_URL, "ldap://04Godzilla.eyelitinc.local:389");
which may sometimes cause 'digest-uri' does not match any LDAP SPN registered for your server.
But you said explicitly that your error was "javax.naming.AuthenticationNotSupportedException:DIGEST-MD5", which should be easy to rule out.
In order to find out what went wrong, add the following line to your code, run your test again and then post your output (when you post, qutoe your output by [pre]...[/pre], otherwise it too mess to read).
env.put("com.sun.jndi.ldap.trace.ber", System.err);
Let me see if I can help you from there.
Regards,
Steve
|
|
|
|
|
|
|
komal_singh
member
offline |
| |
| posts: |
2 |
| joined: |
10/01/2007 |
| from: |
Toronto, ON |
|
|
|
|
|
|
Hi Steve,
Thank you so very much for offering to help !!
(1) Here is the detailed stack trace with "env.put("com.sun.jndi.ldap.trace.ber", System.err);", which incidentally is the same with its absence.
ERROR: 20071011 174401 @05tiger [RMI Runtime: Thread-44] com.eyelit.trans.TransLDAP
javax.naming.AuthenticationNotSupportedException:DIGEST-MD5
Java version 1.6.0_01 from Sun Microsystems Inc. on Windows XP 5.1 CPU x86
javax.naming.AuthenticationNotSupportedException: DIGEST-MD5
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at com.eyelit.trans.TransLDAP.establishConnection(TransLDAP.java:173)
at com.eyelit.trans.TransLDAP.executeCommand(TransLDAP.java:81)
at com.eyelit.trans.Trans$ExecutionThread.run(Trans.java:1594)
(2) I also tried changing the URL to "ldap://04Godzilla.eyelitinc.local:389". However, this produces the following error:
javax.naming.CommunicationException: 04Godzilla.eyelitinc.local:389
[Root exception is java.net.UnknownHostException: 04Godzilla.eyelitinc.local]
at com.sun.jndi.ldap.C
onnection.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown S
ource)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at c
om.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown
Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at
com.eyelit.trans.TransLDAP.establishConnection(TransLDAP.java:170)
at com.eyelit.trans.TransLDAP.executeCommand(TransLDAP.java:81)
at com.eyelit.trans.Trans$ExecutionThread.run(Trans.java:1594)
C
aused by: java.net.UnknownHostException: 04Godzilla.eyelitinc.local
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.con
nect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket
(Unknown Source)
... 16 more
(3) I tried using Digest-MD5 with a popular LDAP browser - Softerra - and it worked. So I'm guessing the problem in on the JNDI side, not the AD.
AGAIN, I GREATLY APPRECIATE YOUR REPLY ! |
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
|
Hi Komal,
Prior to addressing your issue (1), I am quite sure, from both your trails (2) and (3), that your AD is configured on an empty realm. It's Ok but it may fail for SOME clients to authenticate by DIGEST-MD5, NTLM, or GSSAPI, Kerberose, whenever there is a realm involved.
Here are how I figured out: Softerra lacks the ability (maybe a bug or maybe a predefined settings) to negotiate with server while handling DIGEST-MD5 protocol. After receiving Digest-Md5 type 2 message where server informed the client a list of realms the server can handle, the client should CHOSE one from the list and generate his challenge response based on the chosen realm. But Softerra is not able to do that, it can only pick up from user's input. For example, you would have to type in testuser@eyelitinc.local if your AD's realm were 'eyelitinc.local'. Otherwise, Softerra is going to fail. For that reason, your AD's realm is empty. This is further confirmed by your trail (2).
Now back to your issue (1), it's not related to your server yet. I can easily reproduce the your errors on my machine by:
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5-SASL"); // a fake mechanism
Notice that "DIGEST-MD5-SASL" is intentionally set as an unsupported mechanism. The output are as follows:
javax.naming.AuthenticationNotSupportedException: DIGEST-MD5-SASL
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:100)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
It's quite obvious that your JNDI library doesn't support "DIGEST-MD5". It has nothing to do with your server, your client has not reached this far yet.
Try to get another version of JRE or download the LDAP Booster Package ldapbp.jar. If everything goes right on your client side, you should at least see the DIGEST-MD5 Type 1 message like this:
-> 04Godzilla:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
Then, let me see if I can help you from there.
Good Luck,
Steve
|
|
|
|
|
|
|
komal_singh
member
offline |
| |
| posts: |
2 |
| joined: |
10/01/2007 |
| from: |
Toronto, ON |
|
|
|
|
|
|
Steve!!
You are a genius!!
I switched from JDK 1.6 to 1.5.0_11 and viola...everything worked!
So, is it safe to assume this won't work with 1.6, without some additonal ldap booster? Perhaps a bug in 1.6?
Anyway, I can't thank you enough for your time ....thank you thank you thank you!!!!! :)
Warm Regards,
Komal |
|
|
|
|
|
|
kishore.jv
member
offline |
| |
| posts: |
2 |
| joined: |
01/29/2008 |
| from: |
AP
India |
|
|
|
|
|
| i am unable to connect to the AD 2003 |
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put( Context.PROVIDER_URL, "ldap://iemqdc:389");
env.put( Context.SECURITY_PRINCIPAL, userName );
env.put( Context.SECURITY_CREDENTIALS, password );
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put("com.sun.jndi.ldap.trace.ber", System.err);
-> iemqdc:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
<- iemqdc:389
0000: 30 84 00 00 00 DF 02 01 01 61 84 00 00 00 D6 0A 0........a......
0010: 01 0E 04 00 04 00 87 82 00 CB 71 6F 70 3D 22 61 ..........qop="a
0020: 75 74 68 2C 61 75 74 68 2D 69 6E 74 2C 61 75 74 uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C 63 69 70 68 65 72 3D 22 h-conf",cipher="
0040: 33 64 65 73 2C 64 65 73 2C 72 63 34 2D 34 30 2C 3des,des,rc4-40,
0050: 72 63 34 2C 72 63 34 2D 35 36 22 2C 61 6C 67 6F rc4,rc4-56",algo
0060: 72 69 74 68 6D 3D 6D 64 35 2D 73 65 73 73 2C 6E rithm=md5-sess,n
0070: 6F 6E 63 65 3D 22 39 32 38 32 35 66 31 65 34 31 once="92825f1e41
0080: 36 32 63 38 30 31 66 62 61 61 30 31 33 62 32 64 62c801fbaa013b2d
0090: 37 30 31 64 30 64 64 35 38 31 61 37 35 66 33 36 701d0dd581a75f36
00A0: 33 30 62 61 30 34 30 37 30 37 32 65 65 66 38 35 30ba0407072eef85
00B0: 36 34 39 63 39 64 38 36 36 64 39 39 64 65 37 62 649c9d866d99de7b
00C0: 35 37 38 38 63 62 22 2C 63 68 61 72 73 65 74 3D 5788cb",charset=
00D0: 75 74 66 2D 38 2C 72 65 61 6C 6D 3D 22 69 65 6D utf-8,realm="iem
00E0: 71 2E 61 65 22 q.ae"
-> iemqdc:389
0000: 30 82 01 46 02 01 02 60 82 01 3F 02 01 03 04 00 0..F...`..?.....
0010: A3 82 01 36 04 0A 44 49 47 45 53 54 2D 4D 44 35 ...6..DIGEST-MD5
0020: 04 82 01 26 63 68 61 72 73 65 74 3D 75 74 66 2D ...&charset=utf-
0030: 38 2C 75 73 65 72 6E 61 6D 65 3D 22 41 64 6D 69 8,username="Admi
0040: 6E 69 73 74 72 61 74 6F 72 22 2C 72 65 61 6C 6D nistrator",realm
0050: 3D 22 69 65 6D 71 2E 61 65 22 2C 6E 6F 6E 63 65 ="iemq.ae",nonce
0060: 3D 22 39 32 38 32 35 66 31 65 34 31 36 32 63 38 ="92825f1e4162c8
0070: 30 31 66 62 61 61 30 31 33 62 32 64 37 30 31 64 01fbaa013b2d701d
0080: 30 64 64 35 38 31 61 37 35 66 33 36 33 30 62 61 0dd581a75f3630ba
0090: 30 34 30 37 30 37 32 65 65 66 38 35 36 34 39 63 0407072eef85649c
00A0: 39 64 38 36 36 64 39 39 64 65 37 62 35 37 38 38 9d866d99de7b5788
00B0: 63 62 22 2C 6E 63 3D 30 30 30 30 30 30 30 31 2C cb",nc=00000001,
00C0: 63 6E 6F 6E 63 65 3D 22 48 70 4D 6A 42 31 78 4E cnonce="HpMjB1xN
00D0: 57 65 6B 69 4B 6E 31 59 34 61 58 6D 47 62 7A 46 WekiKn1Y4aXmGbzF
00E0: 32 34 6A 2B 6F 44 44 44 6A 78 72 47 78 72 70 66 24j+oDDDjxrGxrpf
00F0: 22 2C 64 69 67 65 73 74 2D 75 72 69 3D 22 6C 64 ",digest-uri="ld
0100: 61 70 2F 69 65 6D 71 64 63 22 2C 6D 61 78 62 75 ap/iemqdc",maxbu
0110: 66 3D 36 35 35 33 36 2C 72 65 73 70 6F 6E 73 65 f=65536,response
0120: 3D 65 36 36 31 31 61 39 37 34 64 64 64 34 62 39 =e6611a974ddd4b9
0130: 39 36 62 61 38 62 64 35 65 37 64 32 66 65 65 63 96ba8bd5e7d2feec
0140: 32 2C 71 6F 70 3D 61 75 74 68 2,qop=auth
<- iemqdc:389
0000: 30 84 00 00 00 65 02 01 02 61 84 00 00 00 5C 0A 0....e...a....\.
0010: 01 31 04 00 04 55 38 30 30 39 30 33 30 43 3A 20 .1...U8009030C:
0020: 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D 30 43 LdapErr: DSID-0C
0030: 30 39 30 34 33 45 2C 20 63 6F 6D 6D 65 6E 74 3A 09043E, comment:
0040: 20 41 63 63 65 70 74 53 65 63 75 72 69 74 79 43 AcceptSecurityC
0050: 6F 6E 74 65 78 74 20 65 72 72 6F 72 2C 20 64 61 ontext error, da
0060: 74 61 20 30 2C 20 76 65 63 65 00 ta 0, vece.
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C:
LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Never try to use Administrator account for DIGEST-MD5 |
What you were trying to do was to bind with your domain controler account 'Administrator' via DIGEST-MD5. It never works!
In AD, Administrator is a critical account and its security should not be compromised in any kind (for which to make DIGEST-MD5 work). That is why it is marked as 'isCritialSystemObject=TRUE'. Try to use a normal user account and see how it works for your enviornment settings.
Good luck,
Steve |
|
|
|
|
|
|
kishore.jv
member
offline |
| |
| posts: |
2 |
| joined: |
01/29/2008 |
| from: |
AP
India |
|
|
|
|
|
| Thanks that is working |
| I have modified as u suggested and it is working. And i have given some provillages to that account to make it accomplish. |
|
|
|
|
|
|
music3man
member
offline |
| |
| posts: |
6 |
| joined: |
07/28/2008 |
| from: |
MN |
|
|
|
|
|
| JNDI LDAP Problem |
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://mfadldap.nnnnnn.edu:389/");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put("com.sun.jndi.ldap.trace.ber", System.err); //debug trace
-> mfadldap.nnnnnn.edu:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
<- mfadldap.nnnnnn.edu:389
0000: 30 84 00 00 00 E7 02 01 01 61 84 00 00 00 DE 0A 0........a......
0010: 01 0E 04 00 04 00 87 82 00 D3 71 6F 70 3D 22 61 ..........qop="a
0020: 75 74 68 2C 61 75 74 68 2D 69 6E 74 2C 61 75 74 uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C 63 69 70 68 65 72 3D 22 h-conf",cipher="
0040: 33 64 65 73 2C 64 65 73 2C 72 63 34 2D 34 30 2C 3des,des,rc4-40,
0050: 72 63 34 2C 72 63 34 2D 35 36 22 2C 61 6C 67 6F rc4,rc4-56",algo
0060: 72 69 74 68 6D 3D 6D 64 35 2D 73 65 73 73 2C 6E rithm=md5-sess,n
0070: 6F 6E 63 65 3D 22 32 35 63 32 63 66 62 32 64 65 once="25c2cfb2de
0080: 66 30 63 38 30 31 37 31 63 30 66 39 33 63 64 32 f0c80171c0f93cd2
0090: 38 37 39 39 35 36 36 66 30 66 62 37 36 36 65 62 8799566f0fb766eb
00A0: 34 35 36 61 33 63 33 35 38 33 34 61 39 35 33 66 456a3c35834a953f
00B0: 61 33 34 35 31 39 31 37 37 39 35 63 61 30 63 35 a3451917795ca0c5
00C0: 37 33 61 38 66 34 22 2C 63 68 61 72 73 65 74 3D 73a8f4",charset=
00D0: 75 74 66 2D 38 2C 72 65 61 6C 6D 3D 22 6D 66 61 utf-8,realm="mfa
00E0: 64 2E 6D 66 72 6F 6F 74 2E 6F 72 67 22 d.mfroot.org"
-> mfadldap.nnnnnn.edu:389
0000: 30 82 01 53 02 01 02 60 82 01 4C 02 01 03 04 00 0..S...`..L.....
0010: A3 82 01 43 04 0A 44 49 47 45 53 54 2D 4D 44 35 ...C..DIGEST-MD5
0020: 04 82 01 33 63 68 61 72 73 65 74 3D 75 74 66 2D ...3charset=utf-
0030: 38 2C 75 73 65 72 6E 61 6D 65 3D 22 6D 30 35 35 8,username="m055
0040: 33 35 32 22 2C 72 65 61 6C 6D 3D 22 6D 66 61 64 352",realm="mfad
0050: 2E 6D 66 72 6F 6F 74 2E 6F 72 67 22 2C 6E 6F 6E .mfroot.org",non
0060: 63 65 3D 22 32 35 63 32 63 66 62 32 64 65 66 30 ce="25c2cfb2def0
0070: 63 38 30 31 37 31 63 30 66 39 33 63 64 32 38 37 c80171c0f93cd287
0080: 39 39 35 36 36 66 30 66 62 37 36 36 65 62 34 35 99566f0fb766eb45
0090: 36 61 33 63 33 35 38 33 34 61 39 35 33 66 61 33 6a3c35834a953fa3
00A0: 34 35 31 39 31 37 37 39 35 63 61 30 63 35 37 33 451917795ca0c573
00B0: 61 38 66 34 22 2C 6E 63 3D 30 30 30 30 30 30 30 a8f4",nc=0000000
00C0: 31 2C 63 6E 6F 6E 63 65 3D 22 78 4E 50 61 41 4C 1,cnonce="xNPaAL
00D0: 57 7A 69 33 5A 4F 30 76 78 70 62 47 64 5A 63 67 Wzi3ZO0vxpbGdZcg
00E0: 38 6F 63 31 68 70 2F 47 70 2B 65 6D 30 77 67 59 8oc1hp/Gp+em0wgY
00F0: 32 73 22 2C 64 69 67 65 73 74 2D 75 72 69 3D 22 2s",digest-uri="
0100: 6C 64 61 70 2F 6D 66 61 64 6C 64 61 70 2E 6D 61 ldap/mfadldap.nnn
0110: 79 6F 2E 65 64 75 22 2C 6D 61 78 62 75 66 3D 36 nnn.edu",maxbuf=6
0120: 35 35 33 36 2C 72 65 73 70 6F 6E 73 65 3D 38 32 5536,response=82
0130: 30 33 33 62 35 64 35 61 37 66 62 38 37 39 33 31 033b5d5a7fb87931
0140: 32 39 64 64 63 37 62 35 38 63 64 33 62 63 2C 71 29ddc7b58cd3bc,q
0150: 6F 70 3D 61 75 74 68 op=auth
<- mfadldap.nnnnnn.edu:389
0000: 30 84 00 00 00 BE 02 01 02 61 84 00 00 00 B5 0A 0........a......
0010: 01 31 04 00 04 82 00 82 38 30 30 39 30 33 30 33 .1......80090303
0020: 3A 20 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D : LdapErr: DSID-
0030: 30 43 30 39 30 34 32 30 2C 20 63 6F 6D 6D 65 6E 0C090420, commen
0040: 74 3A 20 54 68 65 20 64 69 67 65 73 74 2D 75 72 t: The digest-ur
0050: 69 20 64 6F 65 73 20 6E 6F 74 20 6D 61 74 63 68 i does not match
0060: 20 61 6E 79 20 4C 44 41 50 20 53 50 4E 27 73 20 any LDAP SPN's
0070: 72 65 67 69 73 74 65 72 65 64 20 66 6F 72 20 74 registered for t
0080: 68 69 73 20 73 65 72 76 65 72 2E 2C 20 64 61 74 his server., dat
0090: 61 20 30 2C 20 76 65 63 65 00 87 28 72 73 70 61 a 0, vece..(rspa
00A0: 75 74 68 3D 61 36 36 38 39 64 30 34 64 31 31 34 uth=a6689d04d114
00B0: 38 38 36 31 33 62 66 38 39 33 31 32 33 63 32 36 88613bf893123c26
00C0: 36 64 35 33 6d53
|
|
|
|
|
|
|
music3man
member
offline |
| |
| posts: |
6 |
| joined: |
07/28/2008 |
| from: |
MN |
|
|
|
|
|
| JNDI LDAP Problem |
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://mfadldap.nnnnnn.edu:389/");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put("com.sun.jndi.ldap.trace.ber", System.err); //debug trace
-> mfadldap.nnnnnn.edu:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
<- mfadldap.nnnnnn.edu:389
0000: 30 84 00 00 00 E7 02 01 01 61 84 00 00 00 DE 0A 0........a......
0010: 01 0E 04 00 04 00 87 82 00 D3 71 6F 70 3D 22 61 ..........qop="a
0020: 75 74 68 2C 61 75 74 68 2D 69 6E 74 2C 61 75 74 uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C 63 69 70 68 65 72 3D 22 h-conf",cipher="
0040: 33 64 65 73 2C 64 65 73 2C 72 63 34 2D 34 30 2C 3des,des,rc4-40,
0050: 72 63 34 2C 72 63 34 2D 35 36 22 2C 61 6C 67 6F rc4,rc4-56",algo
0060: 72 69 74 68 6D 3D 6D 64 35 2D 73 65 73 73 2C 6E rithm=md5-sess,n
0070: 6F 6E 63 65 3D 22 32 35 63 32 63 66 62 32 64 65 once="25c2cfb2de
0080: 66 30 63 38 30 31 37 31 63 30 66 39 33 63 64 32 f0c80171c0f93cd2
0090: 38 37 39 39 35 36 36 66 30 66 62 37 36 36 65 62 8799566f0fb766eb
00A0: 34 35 36 61 33 63 33 35 38 33 34 61 39 35 33 66 456a3c35834a953f
00B0: 61 33 34 35 31 39 31 37 37 39 35 63 61 30 63 35 a3451917795ca0c5
00C0: 37 33 61 38 66 34 22 2C 63 68 61 72 73 65 74 3D 73a8f4",charset=
00D0: 75 74 66 2D 38 2C 72 65 61 6C 6D 3D 22 6D 66 61 utf-8,realm="mfa
00E0: 64 2E 6D 66 72 6F 6F 74 2E 6F 72 67 22 d.mfroot.org"
-> mfadldap.nnnnnn.edu:389
0000: 30 82 01 53 02 01 02 60 82 01 4C 02 01 03 04 00 0..S...`..L.....
0010: A3 82 01 43 04 0A 44 49 47 45 53 54 2D 4D 44 35 ...C..DIGEST-MD5
0020: 04 82 01 33 63 68 61 72 73 65 74 3D 75 74 66 2D ...3charset=utf-
0030: 38 2C 75 73 65 72 6E 61 6D 65 3D 22 6D 30 35 35 8,username="m055
0040: 33 35 32 22 2C 72 65 61 6C 6D 3D 22 6D 66 61 64 352",realm="mfad
0050: 2E 6D 66 72 6F 6F 74 2E 6F 72 67 22 2C 6E 6F 6E .mfroot.org",non
0060: 63 65 3D 22 32 35 63 32 63 66 62 32 64 65 66 30 ce="25c2cfb2def0
0070: 63 38 30 31 37 31 63 30 66 39 33 63 64 32 38 37 c80171c0f93cd287
0080: 39 39 35 36 36 66 30 66 62 37 36 36 65 62 34 35 99566f0fb766eb45
0090: 36 61 33 63 33 35 38 33 34 61 39 35 33 66 61 33 6a3c35834a953fa3
00A0: 34 35 31 39 31 37 37 39 35 63 61 30 63 35 37 33 451917795ca0c573
00B0: 61 38 66 34 22 2C 6E 63 3D 30 30 30 30 30 30 30 a8f4",nc=0000000
00C0: 31 2C 63 6E 6F 6E 63 65 3D 22 78 4E 50 61 41 4C 1,cnonce="xNPaAL
00D0: 57 7A 69 33 5A 4F 30 76 78 70 62 47 64 5A 63 67 Wzi3ZO0vxpbGdZcg
00E0: 38 6F 63 31 68 70 2F 47 70 2B 65 6D 30 77 67 59 8oc1hp/Gp+em0wgY
00F0: 32 73 22 2C 64 69 67 65 73 74 2D 75 72 69 3D 22 2s",digest-uri="
0100: 6C 64 61 70 2F 6D 66 61 64 6C 64 61 70 2E 6D 61 ldap/mfadldap.nnn
0110: 79 6F 2E 65 64 75 22 2C 6D 61 78 62 75 66 3D 36 nnn.edu",maxbuf=6
0120: 35 35 33 36 2C 72 65 73 70 6F 6E 73 65 3D 38 32 5536,response=82
0130: 30 33 33 62 35 64 35 61 37 66 62 38 37 39 33 31 033b5d5a7fb87931
0140: 32 39 64 64 63 37 62 35 38 63 64 33 62 63 2C 71 29ddc7b58cd3bc,q
0150: 6F 70 3D 61 75 74 68 op=auth
<- mfadldap.nnnnnn.edu:389
0000: 30 84 00 00 00 BE 02 01 02 61 84 00 00 00 B5 0A 0........a......
0010: 01 31 04 00 04 82 00 82 38 30 30 39 30 33 30 33 .1......80090303
0020: 3A 20 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D : LdapErr: DSID-
0030: 30 43 30 39 30 34 32 30 2C 20 63 6F 6D 6D 65 6E 0C090420, commen
0040: 74 3A 20 54 68 65 20 64 69 67 65 73 74 2D 75 72 t: The digest-ur
0050: 69 20 64 6F 65 73 20 6E 6F 74 20 6D 61 74 63 68 i does not match
0060: 20 61 6E 79 20 4C 44 41 50 20 53 50 4E 27 73 20 any LDAP SPN's
0070: 72 65 67 69 73 74 65 72 65 64 20 66 6F 72 20 74 registered for t
0080: 68 69 73 20 73 65 72 76 65 72 2E 2C 20 64 61 74 his server., dat
0090: 61 20 30 2C 20 76 65 63 65 00 87 28 72 73 70 61 a 0, vece..(rspa
00A0: 75 74 68 3D 61 36 36 38 39 64 30 34 64 31 31 34 uth=a6689d04d114
00B0: 38 38 36 31 33 62 66 38 39 33 31 32 33 63 32 36 88613bf893123c26
00C0: 36 64 35 33 6d53
|
|
|
|
|
|
|
music3man
member
offline |
| |
| posts: |
6 |
| joined: |
07/28/2008 |
| from: |
MN |
|
|
|
|
|
| JNDI LDAP Problem |
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://mfadldap.nnnnnn.edu:389/");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put("com.sun.jndi.ldap.trace.ber", System.err); //debug trace
-> mfadldap.nnnnnn.edu:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
<- mfadldap.nnnnnn.edu:389
0000: 30 84 00 00 00 E7 02 01 01 61 84 00 00 00 DE 0A 0........a......
0010: 01 0E 04 00 04 00 87 82 00 D3 71 6F 70 3D 22 61 ..........qop="a
0020: 75 74 68 2C 61 75 74 68 2D 69 6E 74 2C 61 75 74 uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C 63 69 70 68 65 72 3D 22 h-conf",cipher="
0040: 33 64 65 73 2C 64 65 73 2C 72 63 34 2D 34 30 2C 3des,des,rc4-40,
0050: 72 63 34 2C 72 63 34 2D 35 36 22 2C 61 6C 67 6F rc4,rc4-56",algo
0060: 72 69 74 68 6D 3D 6D 64 35 2D 73 65 73 73 2C 6E rithm=md5-sess,n
0070: 6F 6E 63 65 3D 22 32 35 63 32 63 66 62 32 64 65 once="25c2cfb2de
0080: 66 30 63 38 30 31 37 31 63 30 66 39 33 63 64 32 f0c80171c0f93cd2
0090: 38 37 39 39 35 36 36 66 30 66 62 37 36 36 65 62 8799566f0fb766eb
00A0: 34 35 36 61 33 63 33 35 38 33 34 61 39 35 33 66 456a3c35834a953f
00B0: 61 33 34 35 31 39 31 37 37 39 35 63 61 30 63 35 a3451917795ca0c5
00C0: 37 33 61 38 66 34 22 2C 63 68 61 72 73 65 74 3D 73a8f4",charset=
00D0: 75 74 66 2D 38 2C 72 65 61 6C 6D 3D 22 6D 66 61 utf-8,realm="mfa
00E0: 64 2E 6D 66 72 6F 6F 74 2E 6F 72 67 22 d.mfroot.org"
-> mfadldap.nnnnnn.edu:389
0000: 30 82 01 53 02 01 02 60 82 01 4C 02 01 03 04 00 0..S...`..L.....
0010: A3 82 01 43 04 0A 44 49 47 45 53 54 2D 4D 44 35 ...C..DIGEST-MD5
0020: 04 82 01 33 63 68 61 72 73 65 74 3D 75 74 66 2D ...3charset=utf-
0030: 38 2C 75 73 65 72 6E 61 6D 65 3D 22 6D 30 35 35 8,username="m055
0040: 33 35 32 22 2C 72 65 61 6C 6D 3D 22 6D 66 61 64 352",realm="mfad
0050: 2E 6D 66 72 6F 6F 74 2E 6F 72 67 22 2C 6E 6F 6E .mfroot.org",non
0060: 63 65 3D 22 32 35 63 32 63 66 62 32 64 65 66 30 ce="25c2cfb2def0
0070: 63 38 30 31 37 31 63 30 66 39 33 63 64 32 38 37 c80171c0f93cd287
0080: 39 39 35 36 36 66 30 66 62 37 36 36 65 62 34 35 99566f0fb766eb45
0090: 36 61 33 63 33 35 38 33 34 61 39 35 33 66 61 33 6a3c35834a953fa3
00A0: 34 35 31 39 31 37 37 39 35 63 61 30 63 35 37 33 451917795ca0c573
00B0: 61 38 66 34 22 2C 6E 63 3D 30 30 30 30 30 30 30 a8f4",nc=0000000
00C0: 31 2C 63 6E 6F 6E 63 65 3D 22 78 4E 50 61 41 4C 1,cnonce="xNPaAL
00D0: 57 7A 69 33 5A 4F 30 76 78 70 62 47 64 5A 63 67 Wzi3ZO0vxpbGdZcg
00E0: 38 6F 63 31 68 70 2F 47 70 2B 65 6D 30 77 67 59 8oc1hp/Gp+em0wgY
00F0: 32 73 22 2C 64 69 67 65 73 74 2D 75 72 69 3D 22 2s",digest-uri="
0100: 6C 64 61 70 2F 6D 66 61 64 6C 64 61 70 2E 6D 61 ldap/mfadldap.nnn
0110: 79 6F 2E 65 64 75 22 2C 6D 61 78 62 75 66 3D 36 nnn.edu",maxbuf=6
0120: 35 35 33 36 2C 72 65 73 70 6F 6E 73 65 3D 38 32 5536,response=82
0130: 30 33 33 62 35 64 35 61 37 66 62 38 37 39 33 31 033b5d5a7fb87931
0140: 32 39 64 64 63 37 62 35 38 63 64 33 62 63 2C 71 29ddc7b58cd3bc,q
0150: 6F 70 3D 61 75 74 68 op=auth
<- mfadldap.nnnnnn.edu:389
0000: 30 84 00 00 00 BE 02 01 02 61 84 00 00 00 B5 0A 0........a......
0010: 01 31 04 00 04 82 00 82 38 30 30 39 30 33 30 33 .1......80090303
0020: 3A 20 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D : LdapErr: DSID-
0030: 30 43 30 39 30 34 32 30 2C 20 63 6F 6D 6D 65 6E 0C090420, commen
0040: 74 3A 20 54 68 65 20 64 69 67 65 73 74 2D 75 72 t: The digest-ur
0050: 69 20 64 6F 65 73 20 6E 6F 74 20 6D 61 74 63 68 i does not match
0060: 20 61 6E 79 20 4C 44 41 50 20 53 50 4E 27 73 20 any LDAP SPN's
0070: 72 65 67 69 73 74 65 72 65 64 20 66 6F 72 20 74 registered for t
0080: 68 69 73 20 73 65 72 76 65 72 2E 2C 20 64 61 74 his server., dat
0090: 61 20 30 2C 20 76 65 63 65 00 87 28 72 73 70 61 a 0, vece..(rspa
00A0: 75 74 68 3D 61 36 36 38 39 64 30 34 64 31 31 34 uth=a6689d04d114
00B0: 38 38 36 31 33 62 66 38 39 33 31 32 33 63 32 36 88613bf893123c26
00C0: 36 64 35 33 6d53
|
|
|
|
|
|
|
music3man
member
offline |
| |
| posts: |
6 |
| joined: |
07/28/2008 |
| from: |
MN |
|
|
|
|
|
|
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://mfadldap.nnnnnn.edu:389/");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put("com.sun.jndi.ldap.trace.ber", System.err); //debug trace
-> mfadldap.nnnnnn.edu:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
<- mfadldap.nnnnnn.edu:389
0000: 30 84 00 00 00 E7 02 01 01 61 84 00 00 00 DE 0A 0........a......
0010: 01 0E 04 00 04 00 87 82 00 D3 71 6F 70 3D 22 61 ..........qop="a
0020: 75 74 68 2C 61 75 74 68 2D 69 6E 74 2C 61 75 74 uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C 63 69 70 68 65 72 3D 22 h-conf",cipher="
0040: 33 64 65 73 2C 64 65 73 2C 72 63 34 2D 34 30 2C 3des,des,rc4-40,
0050: 72 63 34 2C 72 63 34 2D 35 36 22 2C 61 6C 67 6F rc4,rc4-56",algo
0060: 72 69 74 68 6D 3D 6D 64 35 2D 73 65 73 73 2C 6E rithm=md5-sess,n
0070: 6F 6E 63 65 3D 22 32 35 63 32 63 66 62 32 64 65 once="25c2cfb2de
0080: 66 30 63 38 30 31 37 31 63 30 66 39 33 63 64 32 f0c80171c0f93cd2
0090: 38 37 39 39 35 36 36 66 30 66 62 37 36 36 65 62 8799566f0fb766eb
00A0: 34 35 36 61 33 63 33 35 38 33 34 61 39 35 33 66 456a3c35834a953f
00B0: 61 33 34 35 31 39 31 37 37 39 35 63 61 30 63 35 a3451917795ca0c5
00C0: 37 33 61 38 66 34 22 2C 63 68 61 72 73 65 74 3D 73a8f4",charset=
00D0: 75 74 66 2D 38 2C 72 65 61 6C 6D 3D 22 6D 66 61 utf-8,realm="mfa
00E0: 64 2E 6D 66 72 6F 6F 74 2E 6F 72 67 22 d.mfroot.org"
-> mfadldap.nnnnnn.edu:389
0000: 30 82 01 53 02 01 02 60 82 01 4C 02 01 03 04 00 0..S...`..L.....
0010: A3 82 01 43 04 0A 44 49 47 45 53 54 2D 4D 44 35 ...C..DIGEST-MD5
0020: 04 82 01 33 63 68 61 72 73 65 74 3D 75 74 66 2D ...3charset=utf-
0030: 38 2C 75 73 65 72 6E 61 6D 65 3D 22 6D 30 35 35 8,username="m055
0040: 33 35 32 22 2C 72 65 61 6C 6D 3D 22 6D 66 61 64 352",realm="mfad
0050: 2E 6D 66 72 6F 6F 74 2E 6F 72 67 22 2C 6E 6F 6E .mfroot.org",non
0060: 63 65 3D 22 32 35 63 32 63 66 62 32 64 65 66 30 ce="25c2cfb2def0
0070: 63 38 30 31 37 31 63 30 66 39 33 63 64 32 38 37 c80171c0f93cd287
0080: 39 39 35 36 36 66 30 66 62 37 36 36 65 62 34 35 99566f0fb766eb45
0090: 36 61 33 63 33 35 38 33 34 61 39 35 33 66 61 33 6a3c35834a953fa3
00A0: 34 35 31 39 31 37 37 39 35 63 61 30 63 35 37 33 451917795ca0c573
00B0: 61 38 66 34 22 2C 6E 63 3D 30 30 30 30 30 30 30 a8f4",nc=0000000
00C0: 31 2C 63 6E 6F 6E 63 65 3D 22 78 4E 50 61 41 4C 1,cnonce="xNPaAL
00D0: 57 7A 69 33 5A 4F 30 76 78 70 62 47 64 5A 63 67 Wzi3ZO0vxpbGdZcg
00E0: 38 6F 63 31 68 70 2F 47 70 2B 65 6D 30 77 67 59 8oc1hp/Gp+em0wgY
00F0: 32 73 22 2C 64 69 67 65 73 74 2D 75 72 69 3D 22 2s",digest-uri="
0100: 6C 64 61 70 2F 6D 66 61 64 6C 64 61 70 2E 6D 61 ldap/mfadldap.nnn
0110: 79 6F 2E 65 64 75 22 2C 6D 61 78 62 75 66 3D 36 nnn.edu",maxbuf=6
0120: 35 35 33 36 2C 72 65 73 70 6F 6E 73 65 3D 38 32 5536,response=82
0130: 30 33 33 62 35 64 35 61 37 66 62 38 37 39 33 31 033b5d5a7fb87931
0140: 32 39 64 64 63 37 62 35 38 63 64 33 62 63 2C 71 29ddc7b58cd3bc,q
0150: 6F 70 3D 61 75 74 68 op=auth
<- mfadldap.nnnnnn.edu:389
0000: 30 84 00 00 00 BE 02 01 02 61 84 00 00 00 B5 0A 0........a......
0010: 01 31 04 00 04 82 00 82 38 30 30 39 30 33 30 33 .1......80090303
0020: 3A 20 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D : LdapErr: DSID-
0030: 30 43 30 39 30 34 32 30 2C 20 63 6F 6D 6D 65 6E 0C090420, commen
0040: 74 3A 20 54 68 65 20 64 69 67 65 73 74 2D 75 72 t: The digest-ur
0050: 69 20 64 6F 65 73 20 6E 6F 74 20 6D 61 74 63 68 i does not match
0060: 20 61 6E 79 20 4C 44 41 50 20 53 50 4E 27 73 20 any LDAP SPN's
0070: 72 65 67 69 73 74 65 72 65 64 20 66 6F 72 20 74 registered for t
0080: 68 69 73 20 73 65 72 76 65 72 2E 2C 20 64 61 74 his server., dat
0090: 61 20 30 2C 20 76 65 63 65 00 87 28 72 73 70 61 a 0, vece..(rspa
00A0: 75 74 68 3D 61 36 36 38 39 64 30 34 64 31 31 34 uth=a6689d04d114
00B0: 38 38 36 31 33 62 66 38 39 33 31 32 33 63 32 36 88613bf893123c26
00C0: 36 64 35 33 6d53
|
|
|
|
|
|
|
music3man
member
offline |
| |
| posts: |
6 |
| joined: |
07/28/2008 |
| from: |
MN |
|
|
|
|
|
|
| Sorry for the multiple posts. The submission results page was giving me a null pointer error. 8-( |
|
|
|
|
|
|
music3man
member
offline |
| |
| posts: |
6 |
| joined: |
07/28/2008 |
| from: |
MN |
|
|
|
|
|
|
To follow up on my multiple previous posts, I was using my password equal to my plain text password.
I also tried it with a MD5 digest password by running digest.sh from Tomcat in the format of "username:mfad.mfroot.org:password". I then get the error: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Am I using the correct values for creating the password or is something else wrong? I can authenticate using the simple authentication but not via MD5-DIGEST. Thanks for your help. |
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
|
Your DIGEST-MD5 type 3 message explicitly indicates "The digest-uri does not match any LDAP SPN's registered for this server."
So, the problem is that, unlike Kerberos protocol, DIGEST-MD5 is *NOT* capable for cross domain/realm authetication. In that sense, the requested digest-uri: ldap/mfadldap.nnnnnn.edu must match your server's SPN, but your server is registered within realm: mfad.mfroot.org.
Let me know if you have any further problem after resetting your server's SPN.
Good Luck,
Steve
|
|
|
|
|
|
|
bill_comer
member
offline |
| |
| posts: |
1 |
| joined: |
09/29/2008 |
| from: |
manchester, lancashire
United Kingdom |
|
|
|
|
|
| Authentication issue to ActiveDirectory |
Hi there,
I am struggling to authenticate to an AD 2003 LDAP. I am using acegi 1.0.3 and spring 1.2.7
I have various tests that allow me to perform things like userSearch but authentication fails. Any clues please.
My simplest test fails at the line:
LdapUserDetailsImpl.Essence userEssence = (LdapUserDetailsImpl.Essence) template.retrieveEntry(userDn,
userDetailsMapper, null);
with the Exception:
org.acegisecurity.BadCredentialsException: Bad credentials; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
public void testFromJava() throws NamingException
{
String user = "user1";
String password = "secret";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,
"ldap://ut-ad-01:389/DC=Testusers,DC=foo,DC=co,DC=uk");
env.put(Context.SECURITY_AUTHENTICATION,
"DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, user);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put("com.sun.jndi.ldap.trace.ber", System.err);
DirContext ctx = new InitialDirContext(env);
String userDn = "DC=" + user + ",DC=Testusers,DC=foo,DC=co,DC=uk";
LdapUserDetailsMapper userDetailsMapper = new LdapUserDetailsMapper();
LdapTemplate template = new LdapTemplate(initialDirContextFactory, userDn, password);
LdapUserDetailsImpl.Essence userEssence = (LdapUserDetailsImpl.Essence) template.retrieveEntry(userDn,
userDetailsMapper, null);
ctx.close();
}
the bean for my initialDirContextFactory is:
<bean id="initialDirContextFactory"
parent="utilisoftActiveDirectoryDirContextFactory">
</bean>
<bean id="utilisoftActiveDirectoryDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg
value="ldap://ut-ad-01:389/DC=formfill,DC=co,DC=uk" />
<property name="managerDn">
<value>admin</value>
</property>
<property name="managerPassword">
<value>g0ldf1sh</value>
</property>
<property name="authenticationType">
<value>DIGEST-MD5</value>
</property>
</bean>
|
|
|
|
|
|
|
nirmaldasb
member
offline |
| |
| posts: |
5 |
| joined: |
07/14/2009 |
| from: |
Tamilnadu
India |
|
|
|
|
|
| unable to get sub error code with DIGEST-MD5 |
Hi all,
When an authenitication gets failed with DIGEST-MD-5 mechanisum for any reason like user not eixst/wrong password/account disabled iam not able to get exact sub-error code. always i am getting same like given below.
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Can any one help, how to get sub-error code here.
Hashtable env = new Hashtable();
//env.put(Context.SECURITY_PROTOCOL, "GSSAPI");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.PROVIDER_URL, "ldap://xxxx.domain.com:389/"); // SET YOUR SERVER AND STARTING CONTEXT HERE
env.put(Context.SECURITY_PRINCIPAL, "testuser1"); // SET USER THAT CAN SEARCH AND MODIFY FULL NAME HERE
env.put(Context.SECURITY_CREDENTIALS, "xxxxxx"); // SET PASSWORD HERE
env.put("com.sun.jndi.ldap.trace.ber", System.err); //debug trace
// env.put("java.naming.ldap.version", "3");
// env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
DirContext ctx = new InitialLdapContext(env,null); |
|
|
|
|
|
|
nirmaldasb
member
offline |
| |
| posts: |
5 |
| joined: |
07/14/2009 |
| from: |
Tamilnadu
India |
|
|
|
|
|
| unable to get sub error code with DIGEST-MD5 |
Hi all,
When an authenitication gets failed with DIGEST-MD-5 mechanisum for any reason like user not eixst/wrong password/account disabled iam not able to get exact sub-error code. always i am getting same like given below.
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Can any one help, how to get sub-error code here.
Hashtable env = new Hashtable();
//env.put(Context.SECURITY_PROTOCOL, "GSSAPI");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.PROVIDER_URL, "ldap://xxxx.domain.com:389/"); // SET YOUR SERVER AND STARTING CONTEXT HERE
env.put(Context.SECURITY_PRINCIPAL, "testuser1"); // SET USER THAT CAN SEARCH AND MODIFY FULL NAME HERE
env.put(Context.SECURITY_CREDENTIALS, "xxxxxx"); // SET PASSWORD HERE
env.put("com.sun.jndi.ldap.trace.ber", System.err); //debug trace
// env.put("java.naming.ldap.version", "3");
// env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
DirContext ctx = new InitialLdapContext(env,null); |
|
|
|
|
|
|
nirmaldasb
member
offline |
| |
| posts: |
5 |
| joined: |
07/14/2009 |
| from: |
Tamilnadu
India |
|
|
|
|
|
| How to get error code in case of authenitcation gets failed |
Hi all,
When an authenitication gets failed with DIGEST-MD-5 mechanisum for any reason like user not eixst/wrong password/account disabled iam not able to get exact sub-error code. always i am getting same like given below.
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Can any one help, how to get sub-error code here.
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.PROVIDER_URL, "ldap://xxxx.domain.com:389/");
env.put(Context.SECURITY_PRINCIPAL, "testuser1");
env.put(Context.SECURITY_CREDENTIALS, "xxxxxx");
env.put("com.sun.jndi.ldap.trace.ber", System.err); //debug trace
DirContext ctx = new InitialLdapContext(env,null); |
|
|
|
|
|
|
nirmaldasb
member
offline |
| |
| posts: |
5 |
| joined: |
07/14/2009 |
| from: |
Tamilnadu
India |
|
|
|
|
|
|
| sorry for multile posts , got null pointer exception for initial posting |
|
|
|
|
|
|
dferrero
member
offline |
| |
| posts: |
|
| joined: |
02/23/2012 |
| from: |
Glastonbury, CT |
|
|
|
|
|
| end-to-end DIGEST-MD5 possible? |
SteveHD:
Thank you for this article. It actually helped me add support for DIGEST-MD5 to our product. Simpler than I thought - just needed to get the username in correct format.
I've been looking for a way to do end-to-end SASL LDAP Auth but haven't seen an API to do so. The current JNDI APIs seem to expect you to provide the username and password in plain-text format, then under the covers JNDI will perform the SASL encryption / Hash work.
In my scenario, a client app (which I do not have control over) wants to authenticate with my server application. My server application wants to allow these client apps to authenticate through AD / LDAP. In other words, I am trying to "pass-thru" the client's SASL auth request to AD / LDAP and based on the success of this bind, I allow the client to connect to my server app. Is this possible? If so how? If not, why not? :-)
It defeats the purpose of security if I have to force the client apps to use PLAIN / simple SASL and give me their password in clear-text in order for me to perform the bind on their behalf.
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| End-to-end DIGEST-MD5 impossible! |
Hi dferrero,
Hmmm..., you want to be the man-in-the-middle. No client is happy with this kind of solution unless this is a trusted system.
To answer your question -- NO, it's impossible for DigestMD5 to fulfill your need. You need a delegation solution here. You can do it by using Kerberos protocol with a FORWARDABLE TGS ticket.
The following topic When delegation is possible? may also be kind help.
|
|
|
|
|
|
|
mehta.vikrant
member
offline |
| |
| posts: |
|
| joined: |
11/15/2012 |
| from: |
Mumbai, Maharashtra
India |
|
|
|
|
|
| LDAP SASL Authentication using DIGEST MD5 Failing |
Hi,
I am new to LDAP with MD5 authentication.
I need a client authentication using LDAP with MD5 algorithm.
Below is the configuration im using, also tried with combination of usernames mentioned in earlier posts.
I am encrypting password from JSP with MD5 algorithm and passing the same to LDAP for authentication.
I still get authentication failed with below trace.
User ID :----->USR23210
User Password :----->d18bb9bc4b85449f9cdbe076aacd4a2b
provider_url :----->ldap://10.1.20.27
security_authentication :----->DIGEST-MD5
security_principal_default_password :----->notrequired
security_principal_search :----->OU=EMPLOYEES,OU=BANK LTD,OU=ADUSERS,DC=bankltd,DC=com
security_principal_default_password :----->notrequired
security_attribute_for_user :----->sAMAccountName
-> 10.1.20.27:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
<- 10.1.20.27:389
0000: 30 84 00 00 01 04 02 01 01 61 84 00 00 00 FB 0A 0........a......
0010: 01 0E 04 00 04 00 87 82 00 F0 71 6F 70 3D 22 61 ..........qop="a
0020: 75 74 68 2C 61 75 74 68 2D 69 6E 74 2C 61 75 74 uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C 63 69 70 68 65 72 3D 22 h-conf",cipher="
0040: 33 64 65 73 2C 64 65 73 2C 72 63 34 2D 34 30 2C 3des,des,rc4-40,
0050: 72 63 34 2C 72 63 34 2D 35 36 22 2C 61 6C 67 6F rc4,rc4-56",algo
0060: 72 69 74 68 6D 3D 6D 64 35 2D 73 65 73 73 2C 6E rithm=md5-sess,n
0070: 6F 6E 63 65 3D 22 2B 55 70 67 72 61 64 65 64 2B once="+Upgraded+
0080: 76 31 65 33 33 30 61 38 64 35 66 39 64 38 38 34 v1e330a8d5f9d884
0090: 65 35 63 35 63 37 34 64 33 35 35 63 63 32 63 64 e5c5c74d355cc2cd
00A0: 30 31 33 63 64 31 39 66 65 37 64 31 65 33 63 64 013cd19fe7d1e3cd
00B0: 34 37 38 38 62 63 36 37 63 34 31 38 61 66 62 33 4788bc67c418afb3
00C0: 38 38 61 35 66 35 33 66 32 65 64 61 65 38 30 32 88a5f53f2edae802
00D0: 64 31 63 34 38 66 32 64 61 66 35 36 34 36 32 31 d1c48f2daf564621
00E0: 35 35 22 2C 63 68 61 72 73 65 74 3D 75 74 66 2D 55",charset=utf-
00F0: 38 2C 72 65 61 6C 6D 3D 22 69 63 69 63 69 62 61 8,realm="bankltd
0100: 6E 6B 6C 74 64 2E 63 6F 6D 22 .com"
-> 10.1.20.27:389
0000: 30 82 01 8D 02 01 02 60 82 01 86 02 01 03 04 00 0......`........
0010: A3 82 01 7D 04 0A 44 49 47 45 53 54 2D 4D 44 35 ......DIGEST-MD5
0020: 04 82 01 6D 63 68 61 72 73 65 74 3D 75 74 66 2D ...mcharset=utf-
0030: 38 2C 75 73 65 72 6E 61 6D 65 3D 22 42 41 4E 32 8,username="USR2
0040: 33 32 31 30 40 69 63 69 63 69 62 61 6E 6B 6C 74 3210@bankltd.com
0050: 64 2E 63 6F 6D 22 2C 72 65 61 6C 6D 3D 22 69 63 ",realm="iciciba
0060: 69 63 69 62 61 6E 6B 6C 74 64 2E 63 6F 6D 22 2C nkltd.com",
0070: 6E 6F 6E 63 65 3D 22 2B 55 70 67 72 61 64 65 64 nonce="+Upgraded
0080: 2B 76 31 65 33 33 30 61 38 64 35 66 39 64 38 38 +v1e330a8d5f9d88
0090: 34 65 35 63 35 63 37 34 64 33 35 35 63 63 32 63 4e5c5c74d355cc2c
00A0: 64 30 31 33 63 64 31 39 66 65 37 64 31 65 33 63 d013cd19fe7d1e3c
00B0: 64 34 37 38 38 62 63 36 37 63 34 31 38 61 66 62 d4788bc67c418afb
00C0: 33 38 38 61 35 66 35 33 66 32 65 64 61 65 38 30 388a5f53f2edae80
00D0: 32 64 31 63 34 38 66 32 64 61 66 35 36 34 36 32 2d1c48f2daf56462
00E0: 31 35 35 22 2C 6E 63 3D 30 30 30 30 30 30 30 31 155",nc=00000001
00F0: 2C 63 6E 6F 6E 63 65 3D 22 2B 54 7A 6C 6B 75 51 ,cnonce="+TzlkuQ
0100: 33 53 65 63 6D 73 6A 30 41 35 75 52 31 72 46 77 3Secmsj0A5uR1rFw
0110: 6A 53 47 6C 51 4A 7A 69 2F 6F 58 6F 36 70 31 5A jSGlQJzi/oXo6p1Z
0120: 66 22 2C 64 69 67 65 73 74 2D 75 72 69 3D 22 6C f",digest-uri="l
0130: 64 61 70 2F 31 30 2E 30 2E 33 2E 32 37 22 2C 6D dap/10.1.20.27",m
0140: 61 78 62 75 66 3D 36 35 35 33 36 2C 72 65 73 70 axbuf=65536,resp
0150: 6F 6E 73 65 3D 66 61 63 39 35 62 34 35 65 33 62 onse=fac95b45e3b
0160: 33 36 30 65 33 62 38 39 37 33 66 61 39 32 35 35 360e3b8973fa9255
0170: 31 38 36 61 32 2C 71 6F 70 3D 61 75 74 68 2D 63 186a2,qop=auth-c
0180: 6F 6E 66 2C 63 69 70 68 65 72 3D 22 33 64 65 73 onf,cipher="3des
0190: 22 "
<- 10.1.20.27:389
0000: 30 84 00 00 00 65 02 01 02 61 84 00 00 00 5C 0A 0....e...a....\.
0010: 01 31 04 00 04 55 38 30 30 39 30 33 30 43 3A 20 .1...U8009030C:
0020: 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D 30 43 LdapErr: DSID-0C
0030: 30 39 30 34 33 45 2C 20 63 6F 6D 6D 65 6E 74 3A 09043E, comment:
0040: 20 41 63 63 65 70 74 53 65 63 75 72 69 74 79 43 AcceptSecurityC
0050: 6F 6E 74 65 78 74 20 65 72 72 6F 72 2C 20 64 61 ontext error, da
0060: 74 61 20 30 2C 20 76 65 63 65 00 ta 0, vece.
LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Any help would be greatly appreciated. |
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
|
Please try to connect your LDAP server by using FQDN instead of the IpAddress.
That saying,
provider_url :----->ldap://10.1.20.27
should be:
provider_url :----->ldap://<FQDN>
Good Luck,
Steve
|
|
|
|
|
|
|
lamazimagari
member
offline |
| |
| posts: |
|
| joined: |
03/28/2013 |
| from: |
Istanbul
Turkey |
|
|
|
|
|
| sending encrypted password to LDAP server(Active Directory 2008) |
Hi everyone,
I could successfully login to AD with a clear-text password using the MD5 Digest authentication, additionally as you said before JNDI performs SASL encryption / Hash work on behalf of us, so everything works fine. However my problem is that, I want to hash my password on my own or any external device sends its passwords in encrypted form, so I must send the encrypted data to AD but it does not work when I change my password to encrypted. Is there any way to prevent JNDI to perform hashing the password?
I would greatly appreciate any help.
Thanks.
|
|
|
|
|
|
|
lamazimagari
member
offline |
| |
| posts: |
|
| joined: |
03/28/2013 |
| from: |
Istanbul
Turkey |
|
|
|
|
|
| sending encrypted password to LDAP server(Active Directory 2008) |
Hi everyone,
I could successfully login to AD with a clear-text password using the MD5 Digest authentication, additionally as you said before JNDI performs SASL encryption / Hash work on behalf of us, so everything works fine. However my problem is that, I want to hash my password on my own or any external device sends its passwords in encrypted form, so I must send the encrypted data to AD but it does not work when I change my password to encrypted. Is there any way to prevent JNDI to perform hashing the password?
I would greatly appreciate any help.
Thanks.
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 06/30/2006 07:03:52 PM
Edit
Quote
Report
Profile
Reply