Microsoft introduced a 'LdapEnforceChannelBinding' option requiring clients to provide channel binding information in order to connect to AD over SSL/TLS.

https://support.microsoft.com/en-au/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

When the option is enabled in the AD, then LDAPS connections from an authenticated client that use GSS will fail, with a message similar to:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580

How to reproduce:
1. Test environment:
    - Windows Server 2012 R2, with Active Directory, Enterprise CA, LDAPS enabled.
    - Linux client : setup commands are attached
2. Enable Channel Binding Enforcement (value=2) on the Windows LDAP server :
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"LdapEnforceChannelBinding"=dword:00000002
Refer to the following instructions for more information : https://support.microsoft.com/en-in/help/4034879
2. Compile and run simple LDAP Client:
public class LdapChannelBindingWithGSSAPI1 {

    public static String LDAPS_URL="ldaps://something.com";
    public static String USER="user";
    public static String KRB5CONFIG_FILE = "krb5.conf";
    public static String JAASCONFIG_FILE = "jaas.conf";

    public static void main(String[] args) throws LoginException, NamingException {
        System.setProperty("java.security.krb5.conf", KRB5CONFIG_FILE);
        System.setProperty("java.security.auth.login.config", JAASCONFIG_FILE);
        System.setProperty("sun.security.krb5.principal", USER);

        LoginContext lc = new LoginContext("LdapChannelBinding", new TextCallbackHandler());
        lc.login();

        JndiAction jndiAction = new JndiAction();
        Subject.doAs(lc.getSubject(), jndiAction);
    }
}

class JndiAction implements java.security.PrivilegedAction {

    public Object run() {
        Hashtable env = new Hashtable();

        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, LdapChannelBindingWithGSSAPI1.LDAPS_URL);
        env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
        env.put("com.sun.jndi.ldap.tls.cbtype", "tls-server-end-point");
        env.put("com.sun.jndi.ldap.connect.timeout", "2000");

        try {
            //InitialDirContext initialDirContext = new InitialDirContext(env);
            InitialLdapContext initialDirContext = new InitialLdapContext(env, null);
            System.out.println(initialDirContext.getAttributes(""));
        } catch (NamingException e) {
            e.printStackTrace();
        }
        return null;
    }
}

3. On success client authenticated to the server and prints attributes
Otherwise fails with "[LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580]"