kerberos authentication doesn't work agsint windows 2003 AD...

Kent Wu kwu at xsigo.com
Tue Aug 30 19:07:23 EDT 2005 

Hi guys,

	Thanks for all the inputs I've got so far. And 
I've figured out the reason behind it. The reason is that
in the last ldap_sasl_bind_s() step, AD 2000 accepts the 
DN format like "kwu at blabla.COM" however AD 2003 only 
accepts format like "cn=Kent Wu,cn=Users,dc=blabla,dc=com".
Not sure why AD 2003 wants to change this criterion however 
after I used the latter format it was working fine. 

	The error message "Invalid credentials" was 
referring to the wrong DN instead of bad password/key. 
I was thinking in the total opposite direction before and 
all of sudden I came across this "wrong DN" idea!

Cheers.

-Kent

On Mon, 2005-08-29 at 19:13 -0700, Kent Wu wrote:
> Hi guys,
> 
> I used to write a program to authenticate 
> users against windows 2000 AD by using MIT 
> Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically 
> what I did is to authenticate users against AD by 
> using kerberos before doing LDAP search operations. 
> It was working perfectly until I wanted to migrate the 
> 2000 AD to 2003 a wk ago. 
> 
> While doing kerberos authentication against 
> AD 2003, the last step of ldap_sasl_bind_s() always 
> returns "invalid credentials" even though I've successfully 
> got TGT as well as the service ticket for LDAP (AD 2003). If
> I type "klist" right before the last ldap_sasl_bind_s() step, 
> I can see the followings and it's looking look.
> 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> 
> Default principal: KWU at DOMAIN
> 
> Valid starting     Expires            Service principal
> 08/29/05 18:09:59  08/30/05 04:09:59  krbtgt/DOMAIN at DOMAIN
>         renew until 08/30/05 18:09:59
> 08/29/05 18:10:01  08/30/05 04:09:59  ldap/AD-HOSTNAME.DOMAIN at DOMAIN
>         renew until 08/30/05 18:09:59
> 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
> 
> However it still fails in the last ldap_sasl_bind_s() call.
> 
> My calling sequence is like this: 
> 
> 1. use Kerberos APIs to get/store TGT.
> 2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
> (ldap_sasl_bind_s()) to engage kerberos authentication. 
> Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it 
> requires a loop (a couple of handshaking steps) to complete
> the whole authentication process. It was working all good until
> the last ldap_sasl_bind_s() call....
> 
> I've looked high and low on the internet and tried variety of 
> configurations in both client and server side however ended up
> nothing. It's so weird that it works fine with AD 2000 but not 
> 2003....
> 
> Can anyone help me out by sharing his/her own experience or 
> pointing me to the right direction?
> 
> Thanks a lot in advance !
> 
> -Kent
> 
> 
> 
> 
> 
-- 
Kent Wu <kwu at xsigo.com>
XSIGO INC.

More information about the Kerberos mailing list