Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8245527

LDAP Channel Binding support for Java GSS/Kerberos

    Details

      Description

      Microsoft introduced a 'LdapEnforceChannelBinding' option requiring clients to provide channel binding information in order to connect to AD over SSL/TLS.

      https://support.microsoft.com/en-au/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

      When the option is enabled in the AD, then LDAPS connections from an authenticated client that use GSS will fail, with a message similar to:

      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580

      How to reproduce:
      1. Test environment:
          - Windows Server 2012 R2, with Active Directory, Enterprise CA, LDAPS enabled.
          - Linux client : setup commands are attached
      2. Enable Channel Binding Enforcement (value=2) on the Windows LDAP server :
      Windows Registry Editor Version 5.00


      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"LdapEnforceChannelBinding"=dword:00000002
      Refer to the following instructions for more information : https://support.microsoft.com/en-in/help/4034879
      2. Compile and run simple LDAP Client:
      public class LdapChannelBindingWithGSSAPI1 {

          public static String LDAPS_URL="ldaps://something.com";
          public static String USER="user";
          public static String KRB5CONFIG_FILE = "krb5.conf";
          public static String JAASCONFIG_FILE = "jaas.conf";

          public static void main(String[] args) throws LoginException, NamingException {
              System.setProperty("java.security.krb5.conf", KRB5CONFIG_FILE);
              System.setProperty("java.security.auth.login.config", JAASCONFIG_FILE);
              System.setProperty("sun.security.krb5.principal", USER);

              LoginContext lc = new LoginContext("LdapChannelBinding", new TextCallbackHandler());
              lc.login();

              JndiAction jndiAction = new JndiAction();
              Subject.doAs(lc.getSubject(), jndiAction);
          }
      }

      class JndiAction implements java.security.PrivilegedAction {

          public Object run() {
              Hashtable env = new Hashtable();

              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              env.put(Context.PROVIDER_URL, LdapChannelBindingWithGSSAPI1.LDAPS_URL);
              env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
              env.put("com.sun.jndi.ldap.tls.cbtype", "tls-server-end-point");
              env.put("com.sun.jndi.ldap.connect.timeout", "2000");

              try {
                  //InitialDirContext initialDirContext = new InitialDirContext(env);
                  InitialLdapContext initialDirContext = new InitialLdapContext(env, null);
                  System.out.println(initialDirContext.getAttributes(""));
              } catch (NamingException e) {
                  e.printStackTrace();
              }
              return null;
          }
      }

      3. On success client authenticated to the server and prints attributes
      Otherwise fails with "[LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580]"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                abakhtin Alexey Bakhtin
                Reporter:
                abakhtin Alexey Bakhtin
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: