File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes AD LDS with DIGEST-MD5 can not connect Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "AD LDS with DIGEST-MD5 can not connect" Watch "AD LDS with DIGEST-MD5 can not connect" New topic
Author

AD LDS with DIGEST-MD5 can not connect

Benjamin Leonard
Greenhorn

Joined: May 15, 2009
Posts: 4
We are now starting to use the LDS but we have an issue with the DIGEST-MD5 bindings.

This biddings is working find with Proxy user ( synchronized with the AD ) but not specific LDS User.

Here is the code i use......to test the login with both type of user





We've take a look in different sources and we check that supportedSASLMechanisms contains the DIGEST-MD5 format.
We also add the ADAMDisableSSI=0 like the documentation says.
But the login failed with MD5, we are able to see the log of what happen (see below)
The error is AcceptSecurityContext error, data 52e which means that the paswword does not fit.
What we think is that for DIGEST-MD5 to work , client's password must be stored using reversible encryption so that the authentication agent (AD) can retrieve the password in clear text and then calculate the hash H().

But how to do it ?

We would appreciate if someone can give us a clue on this topic

Thanks and regards
Benjamin LĂ©onard



LOG of MD5 exchenge
-> W8GVB723:389

0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5


<- W8GVB723:389

0000: 30 84 00 00 01 30 02 01 01 61 84 00 00 01 27 0A 0....0...a....'.
0010: 01 0E 04 00 04 00 87 82 01 1C 71 6F 70 3D 22 61 ..........qop="a
0020: 75 74 68 2C 61 75 74 68 2D 69 6E 74 2C 61 75 74 uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C 63 69 70 68 65 72 3D 22 h-conf",cipher="
0040: 33 64 65 73 2C 72 63 34 22 2C 61 6C 67 6F 72 69 3des,rc4",algori
0050: 74 68 6D 3D 6D 64 35 2D 73 65 73 73 2C 6E 6F 6E thm=md5-sess,non
0060: 63 65 3D 22 2B 55 70 67 72 61 64 65 64 2B 76 31 ce="+Upgraded+v1
0070: 66 31 64 38 65 31 34 66 38 66 30 65 62 38 34 36 f1d8e14f8f0eb846
0080: 30 34 34 61 61 36 64 39 61 64 32 31 32 30 62 34 044aa6d9ad2120b4
0090: 32 38 64 61 63 37 62 30 30 64 36 61 63 62 30 31 28dac7b00d6acb01
00A0: 36 33 31 34 65 32 36 35 31 64 39 34 34 30 61 66 6314e2651d9440af
00B0: 36 64 36 36 39 39 66 61 62 37 32 38 62 61 61 32 6d6699fab728baa2
00C0: 31 33 32 61 32 65 37 34 62 62 37 64 32 66 38 62 132a2e74bb7d2f8b
00D0: 62 66 34 64 61 63 33 32 32 62 64 30 36 31 36 32 bf4dac322bd06162
00E0: 22 2C 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C ",charset=utf-8,
00F0: 72 65 61 6C 6D 3D 22 67 6C 61 76 65 72 62 65 6C realm="glaverbel
0100: 2E 63 6F 6D 22 2C 72 65 61 6C 6D 3D 22 43 4E 3D .com",realm="CN=
0110: 44 4D 5A 41 75 74 68 65 6E 74 69 63 61 74 69 6F DMZAuthenticatio
0120: 6E 2C 44 43 3D 67 6C 61 76 65 72 62 65 6C 2C 44 n,DC=glaverbel,D
0130: 43 3D 63 6F 6D 22 C=com"


-> W8GVB723:389

0000: 30 82 01 75 02 01 02 60 82 01 6E 02 01 03 04 00 0..u...`..n.....
0010: A3 82 01 65 04 0A 44 49 47 45 53 54 2D 4D 44 35 ...e..DIGEST-MD5
0020: 04 82 01 55 63 68 61 72 73 65 74 3D 75 74 66 2D ...Ucharset=utf-
0030: 38 2C 75 73 65 72 6E 61 6D 65 3D 22 43 47 42 31 8,username="CGB1
0040: 30 30 36 31 22 2C 72 65 61 6C 6D 3D 22 67 6C 61 0061",realm="gla
0050: 76 65 72 62 65 6C 2E 63 6F 6D 22 2C 6E 6F 6E 63 verbel.com",nonc
0060: 65 3D 22 2B 55 70 67 72 61 64 65 64 2B 76 31 66 e="+Upgraded+v1f
0070: 31 64 38 65 31 34 66 38 66 30 65 62 38 34 36 30 1d8e14f8f0eb8460
0080: 34 34 61 61 36 64 39 61 64 32 31 32 30 62 34 32 44aa6d9ad2120b42
0090: 38 64 61 63 37 62 30 30 64 36 61 63 62 30 31 36 8dac7b00d6acb016
00A0: 33 31 34 65 32 36 35 31 64 39 34 34 30 61 66 36 314e2651d9440af6
00B0: 64 36 36 39 39 66 61 62 37 32 38 62 61 61 32 31 d6699fab728baa21
00C0: 33 32 61 32 65 37 34 62 62 37 64 32 66 38 62 62 32a2e74bb7d2f8bb
00D0: 66 34 64 61 63 33 32 32 62 64 30 36 31 36 32 22 f4dac322bd06162"
00E0: 2C 6E 63 3D 30 30 30 30 30 30 30 31 2C 63 6E 6F ,nc=00000001,cno
00F0: 6E 63 65 3D 22 59 6F 7A 64 36 35 2F 4F 68 48 6B nce="Yozd65/OhHk
0100: 51 32 36 32 66 6A 47 72 5A 7A 68 4F 48 4E 41 42 Q262fjGrZzhOHNAB
0110: 6E 56 5A 77 4A 54 34 79 46 7A 42 50 49 22 2C 64 nVZwJT4yFzBPI",d
0120: 69 67 65 73 74 2D 75 72 69 3D 22 6C 64 61 70 2F igest-uri="ldap/
0130: 57 38 47 56 42 37 32 33 22 2C 6D 61 78 62 75 66 W8GVB723",maxbuf
0140: 3D 36 35 35 33 36 2C 72 65 73 70 6F 6E 73 65 3D =65536,response=
0150: 34 36 65 30 62 38 39 32 31 34 33 38 32 61 64 37 46e0b89214382ad7
0160: 39 30 66 35 66 62 33 65 30 33 62 39 63 36 62 63 90f5fb3e03b9c6bc
0170: 2C 71 6F 70 3D 61 75 74 68 ,qop=auth


<- W8GVB723:389

0000: 30 84 00 00 00 68 02 01 02 61 84 00 00 00 5F 0A 0....h...a...._.
0010: 01 31 04 00 04 58 38 30 30 39 30 33 30 43 3A 20 .1...X8009030C:
0020: 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D 30 43 LdapErr: DSID-0C
0030: 30 39 30 34 44 30 2C 20 63 6F 6D 6D 65 6E 74 3A 0904D0, comment:
0040: 20 41 63 63 65 70 74 53 65 63 75 72 69 74 79 43 AcceptSecurityC
0050: 6F 6E 74 65 78 74 20 65 72 72 6F 72 2C 20 64 61 ontext error, da
0060: 74 61 20 35 32 65 2C 20 76 31 64 62 30 00 ta 52e, v1db0.


Benjamin
 
wood burning stoves
 
subject: AD LDS with DIGEST-MD5 can not connect
 
Similar Threads
jk_mod issue
http://xml.apache.org/axis/ HttpErrorCode:401
javax.xml.ws.WebServiceException: Failed to access the WSDL
SOAPAction header problem...Urgent
OC4J 10g StandAlone using HTTPS Tunneling Problem