-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
17
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
Unable to connect to Active Directory using Java client with digest-md5, ssl enabled and qop auth-int/auth-conf when channel binding and signing are required in LDAP.
We are encountering an error when connecting to an LDAP server using the above Java (17) with certain Active Directory registry settings. Specifically, when we set the following registry entries as per the Microsoft Guide: https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a
- LdapEnforceChannelBinding=2
- ldapserverintegrity=2
We receive the following error message: LDAP: error code 49 - 80090346: LdapErr: DSID-0C0906AC, comment: AcceptSecurityContext error, data 80090346, v4563
However, when we set LdapEnforceChannelBinding=1 (while keeping ldapserverintegrity=2), the connection is successful.
Additionally, with both LdapEnforceChannelBinding=2 and ldapserverintegrity=2, we can connect to the non-SSL LDAP URL "ldap://machine.domain.com:389".
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Connect to LDAP using DIGEST-MD5 authentication while SSL is enabled. Sample code is provided bellow. In AD set following values; LdapEnforceChannelBinding=2 and ldapserverintegrity=2
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
We should be able to connect using com.sun.jndi.ldap.tls.cbtype=tls-server-end-point according to java documentation.
ACTUAL -
We get following error message: LDAP: error code 49 - 80090346: LdapErr: DSID-0C0906AC, comment: AcceptSecurityContext error, data 80090346, v4563
---------- BEGIN SOURCE ----------
import javax.naming.*;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import java.util.Hashtable;
public class LDAPBindSSLExample {
public static void main(String[] args) throws Exception {
String ldapURL = "ldaps://machine.domain.com:636";
String username = "username"; // without @domain
String domainName = "domain.com";
String password = "password";
String timeout = "5000";
Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.security.sasl.realm", domainName);
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put("javax.security.sasl.qop", "auth");
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.REFERRAL, "ignore");
env.put("java.naming.ldap.version", "3");
env.put("com.sun.jndi.ldap.tls.cbtype", "tls-server-end-point");
env.put("com.sun.jndi.ldap.connect.pool", "true");
env.put("com.sun.jndi.ldap.connect.timeout", timeout);
LdapContext ctx = null;
try {
ctx = new InitialLdapContext(env, null);
System.out.println("Bind successful");
} catch (Exception e) {
e.printStackTrace();
}
finally {
if (ctx!=null) {
ctx.close();
}
}
}
}
---------- END SOURCE ----------
FREQUENCY : always
Unable to connect to Active Directory using Java client with digest-md5, ssl enabled and qop auth-int/auth-conf when channel binding and signing are required in LDAP.
We are encountering an error when connecting to an LDAP server using the above Java (17) with certain Active Directory registry settings. Specifically, when we set the following registry entries as per the Microsoft Guide: https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a
- LdapEnforceChannelBinding=2
- ldapserverintegrity=2
We receive the following error message: LDAP: error code 49 - 80090346: LdapErr: DSID-0C0906AC, comment: AcceptSecurityContext error, data 80090346, v4563
However, when we set LdapEnforceChannelBinding=1 (while keeping ldapserverintegrity=2), the connection is successful.
Additionally, with both LdapEnforceChannelBinding=2 and ldapserverintegrity=2, we can connect to the non-SSL LDAP URL "ldap://machine.domain.com:389".
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Connect to LDAP using DIGEST-MD5 authentication while SSL is enabled. Sample code is provided bellow. In AD set following values; LdapEnforceChannelBinding=2 and ldapserverintegrity=2
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
We should be able to connect using com.sun.jndi.ldap.tls.cbtype=tls-server-end-point according to java documentation.
ACTUAL -
We get following error message: LDAP: error code 49 - 80090346: LdapErr: DSID-0C0906AC, comment: AcceptSecurityContext error, data 80090346, v4563
---------- BEGIN SOURCE ----------
import javax.naming.*;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import java.util.Hashtable;
public class LDAPBindSSLExample {
public static void main(String[] args) throws Exception {
String ldapURL = "ldaps://machine.domain.com:636";
String username = "username"; // without @domain
String domainName = "domain.com";
String password = "password";
String timeout = "5000";
Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.security.sasl.realm", domainName);
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put("javax.security.sasl.qop", "auth");
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_PRINCIPAL, username);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.REFERRAL, "ignore");
env.put("java.naming.ldap.version", "3");
env.put("com.sun.jndi.ldap.tls.cbtype", "tls-server-end-point");
env.put("com.sun.jndi.ldap.connect.pool", "true");
env.put("com.sun.jndi.ldap.connect.timeout", timeout);
LdapContext ctx = null;
try {
ctx = new InitialLdapContext(env, null);
System.out.println("Bind successful");
} catch (Exception e) {
e.printStackTrace();
}
finally {
if (ctx!=null) {
ctx.close();
}
}
}
}
---------- END SOURCE ----------
FREQUENCY : always
- relates to
-
JDK-8247311 LDAP Channel Binding support for Java GSS/Kerberos
-
- Closed
-