kerberos authentication doesn't work agsint windows 2003 AD...

swbell kerygma2 at swbell.net
Fri Sep 16 18:21:29 EDT 2005 

in article 1125443243.11580.26.camel at jurassic.mvcorp.xsigo.com, Kent Wu at
kwu at xsigo.com wrote on 8/30/05 6:07 PM:

For the principal name format to work when binding, the user's Active
Directory record must have that string in the userPrincipalName attribute.
Some domains that got migrated from NT 4 don't have this info set.

> Hi guys,
> 
> Thanks for all the inputs I've got so far. And
> I've figured out the reason behind it. The reason is that
> in the last ldap_sasl_bind_s() step, AD 2000 accepts the
> DN format like "kwu at blabla.COM" however AD 2003 only
> accepts format like "cn=Kent Wu,cn=Users,dc=blabla,dc=com".
> Not sure why AD 2003 wants to change this criterion however
> after I used the latter format it was working fine.
> 
> The error message "Invalid credentials" was
> referring to the wrong DN instead of bad password/key.
> I was thinking in the total opposite direction before and
> all of sudden I came across this "wrong DN" idea!
> 
> Cheers.
> 
> -Kent
> 
> On Mon, 2005-08-29 at 19:13 -0700, Kent Wu wrote:
>> Hi guys,
>> 
>> I used to write a program to authenticate
>> users against windows 2000 AD by using MIT
>> Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically
>> what I did is to authenticate users against AD by
>> using kerberos before doing LDAP search operations.
>> It was working perfectly until I wanted to migrate the
>> 2000 AD to 2003 a wk ago.
>> 
>> While doing kerberos authentication against
>> AD 2003, the last step of ldap_sasl_bind_s() always
>> returns "invalid credentials" even though I've successfully
>> got TGT as well as the service ticket for LDAP (AD 2003). If
>> I type "klist" right before the last ldap_sasl_bind_s() step,
>> I can see the followings and it's looking look.
>> 
>> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> 
>> Default principal: KWU at DOMAIN
>> 
>> Valid starting     Expires            Service principal
>> 08/29/05 18:09:59  08/30/05 04:09:59  krbtgt/DOMAIN at DOMAIN
>>         renew until 08/30/05 18:09:59
>> 08/29/05 18:10:01  08/30/05 04:09:59  ldap/AD-HOSTNAME.DOMAIN at DOMAIN
>>         renew until 08/30/05 18:09:59
>> 
>> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> 
>> However it still fails in the last ldap_sasl_bind_s() call.
>> 
>> My calling sequence is like this:
>> 
>> 1. use Kerberos APIs to get/store TGT.
>> 2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
>> (ldap_sasl_bind_s()) to engage kerberos authentication.
>> Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it
>> requires a loop (a couple of handshaking steps) to complete
>> the whole authentication process. It was working all good until
>> the last ldap_sasl_bind_s() call....
>> 
>> I've looked high and low on the internet and tried variety of
>> configurations in both client and server side however ended up
>> nothing. It's so weird that it works fine with AD 2000 but not
>> 2003....
>> 
>> Can anyone help me out by sharing his/her own experience or
>> pointing me to the right direction?
>> 
>> Thanks a lot in advance !
>> 
>> -Kent
>> 
>> 
>> 
>> 
>>

More information about the Kerberos mailing list