Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8245527

LDAP Channel Binding support for Java GSS/Kerberos



      Microsoft introduced a 'LdapEnforceChannelBinding' option requiring clients to provide channel binding information in order to connect to AD over SSL/TLS.


      When the option is enabled in the AD, then LDAPS connections from an authenticated client that use GSS will fail, with a message similar to:

      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580

      How to reproduce:
      1. Test environment:
          - Windows Server 2012 R2, with Active Directory, Enterprise CA, LDAPS enabled.
          - Linux client : setup commands are attached
      2. Enable Channel Binding Enforcement (value=2) on the Windows LDAP server :
      Windows Registry Editor Version 5.00

      Refer to the following instructions for more information : https://support.microsoft.com/en-in/help/4034879
      2. Compile and run simple LDAP Client:
      public class LdapChannelBindingWithGSSAPI1 {

          public static String LDAPS_URL="ldaps://something.com";
          public static String USER="user";
          public static String KRB5CONFIG_FILE = "krb5.conf";
          public static String JAASCONFIG_FILE = "jaas.conf";

          public static void main(String[] args) throws LoginException, NamingException {
              System.setProperty("java.security.krb5.conf", KRB5CONFIG_FILE);
              System.setProperty("java.security.auth.login.config", JAASCONFIG_FILE);
              System.setProperty("sun.security.krb5.principal", USER);

              LoginContext lc = new LoginContext("LdapChannelBinding", new TextCallbackHandler());

              JndiAction jndiAction = new JndiAction();
              Subject.doAs(lc.getSubject(), jndiAction);

      class JndiAction implements java.security.PrivilegedAction {

          public Object run() {
              Hashtable env = new Hashtable();

              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              env.put(Context.PROVIDER_URL, LdapChannelBindingWithGSSAPI1.LDAPS_URL);
              env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
              env.put("com.sun.jndi.ldap.tls.cbtype", "tls-server-end-point");
              env.put("com.sun.jndi.ldap.connect.timeout", "2000");

              try {
                  //InitialDirContext initialDirContext = new InitialDirContext(env);
                  InitialLdapContext initialDirContext = new InitialLdapContext(env, null);
              } catch (NamingException e) {
              return null;

      3. On success client authenticated to the server and prints attributes
      Otherwise fails with "[LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580]"


          Issue Links



              • Assignee:
                abakhtin Alexey Bakhtin
                abakhtin Alexey Bakhtin
              • Votes:
                0 Vote for this issue
                7 Start watching this issue


                • Created: