kerberos authentication doesn't work agsint windows 2003 AD...

[Kent Wu]

Hi guys,

I used to write a program to authenticate 
users against windows 2000 AD by using MIT 
Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically 
what I did is to authenticate users against AD by 
using kerberos before doing LDAP search operations. 
It was working perfectly until I wanted to migrate the 
2000 AD to 2003 a wk ago. 

While doing kerberos authentication against 
AD 2003, the last step of ldap_sasl_bind_s() always 
returns "invalid credentials" even though I've successfully 
got TGT as well as the service ticket for LDAP (AD 2003). If
I type "klist" right before the last ldap_sasl_bind_s() step, 
I can see the followings and it's looking look.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Default principal: KWU at DOMAIN

Valid starting     Expires            Service principal
08/29/05 18:09:59  08/30/05 04:09:59  krbtgt/DOMAIN at DOMAIN
        renew until 08/30/05 18:09:59
08/29/05 18:10:01  08/30/05 04:09:59  ldap/AD-HOSTNAME.DOMAIN at DOMAIN
        renew until 08/30/05 18:09:59

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 

However it still fails in the last ldap_sasl_bind_s() call.

My calling sequence is like this: 

1. use Kerberos APIs to get/store TGT.
2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
(ldap_sasl_bind_s()) to engage kerberos authentication. 
Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it 
requires a loop (a couple of handshaking steps) to complete
the whole authentication process. It was working all good until
the last ldap_sasl_bind_s() call....

I've looked high and low on the internet and tried variety of 
configurations in both client and server side however ended up
nothing. It's so weird that it works fine with AD 2000 but not 
2003....

Can anyone help me out by sharing his/her own experience or 
pointing me to the right direction?

Thanks a lot in advance !

-Kent