Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8245527

LDAP Channel Binding support for Java GSS/Kerberos

    XMLWordPrintable

    Details

      Backports

        Description

        Microsoft introduced a 'LdapEnforceChannelBinding' option requiring clients to provide channel binding information in order to connect to AD over SSL/TLS.

        https://support.microsoft.com/en-au/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

        When the option is enabled in the AD, then LDAPS connections from an authenticated client that use GSS will fail, with a message similar to:

        javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580

        How to reproduce:
        1. Test environment:
            - Windows Server 2012 R2, with Active Directory, Enterprise CA, LDAPS enabled.
            - Linux client : setup commands are attached
        2. Enable Channel Binding Enforcement (value=2) on the Windows LDAP server :
        Windows Registry Editor Version 5.00


        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"LdapEnforceChannelBinding"=dword:00000002
        Refer to the following instructions for more information : https://support.microsoft.com/en-in/help/4034879
        2. Compile and run simple LDAP Client:
        public class LdapChannelBindingWithGSSAPI1 {

            public static String LDAPS_URL="ldaps://something.com";
            public static String USER="user";
            public static String KRB5CONFIG_FILE = "krb5.conf";
            public static String JAASCONFIG_FILE = "jaas.conf";

            public static void main(String[] args) throws LoginException, NamingException {
                System.setProperty("java.security.krb5.conf", KRB5CONFIG_FILE);
                System.setProperty("java.security.auth.login.config", JAASCONFIG_FILE);
                System.setProperty("sun.security.krb5.principal", USER);

                LoginContext lc = new LoginContext("LdapChannelBinding", new TextCallbackHandler());
                lc.login();

                JndiAction jndiAction = new JndiAction();
                Subject.doAs(lc.getSubject(), jndiAction);
            }
        }

        class JndiAction implements java.security.PrivilegedAction {

            public Object run() {
                Hashtable env = new Hashtable();

                env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                env.put(Context.PROVIDER_URL, LdapChannelBindingWithGSSAPI1.LDAPS_URL);
                env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
                env.put("com.sun.jndi.ldap.tls.cbtype", "tls-server-end-point");
                env.put("com.sun.jndi.ldap.connect.timeout", "2000");

                try {
                    //InitialDirContext initialDirContext = new InitialDirContext(env);
                    InitialLdapContext initialDirContext = new InitialLdapContext(env, null);
                    System.out.println(initialDirContext.getAttributes(""));
                } catch (NamingException e) {
                    e.printStackTrace();
                }
                return null;
            }
        }

        3. On success client authenticated to the server and prints attributes
        Otherwise fails with "[LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580]"

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                abakhtin Alexey Bakhtin
                Reporter:
                abakhtin Alexey Bakhtin
                Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: