Login/Register
Enable LdapEnforceChannelBinding in Java based applications
Asked Answered
javaldapkerberosgssapi
W

1

6

Microsoft introduced a 'LdapEnforceChannelBinding' option requiring clients to provide channel binding information in order to connect to AD over SSL/TLS. After this has enabled in AD, Java applications which use Kerberos/ LDAP authentication receive following error from the server.

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580

My code uses LoginContext to authenticate and DirContext with GSSAPI security mechanism.

Is there a way to enable channel binding in Java code to fix this issue?

Woolcott answered 15/1, 2020 at 16:56 Comment(6)
You don't need TLS when you use Kerberos. Simply require qop=auth-conf.Oberammergau
Please follow: mail.openjdk.java.net/pipermail/security-dev/2019-December/…Oberammergau
We tried above options but they are not working. Using qop=auth-conf with LDAP connection is fine & it provides integrity & privacy protection. But we are using LDAPS. With LDAPS if you enable ldap channel binding(value=2), then we are getting above error. Is there any JAVA Library/API that supports "LDAP Channel Binding"?Byrnes
@Michael-O, what if we want to use ldaps with kerberos?Byrnes
@Byrnes Technically, I see no benefit if you use AES256.Oberammergau
@pasabsb have you found a solution?Carnet
J
3

This is a known issue with OpenJDK and is supposedly implemented in JDK 16 which is in early access but is planned to be backported to JDK 8, though I haven't gotten it to work yet.

Here is the bug report: https://bugs.openjdk.java.net/browse/JDK-8245527

See my issue here for more details. LDAPS Channel Binding with GSS

Jaret answered 16/10, 2020 at 15:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.