SASL binding with SSL encryption

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Tue Oct 27 21:55:36 EDT 2009


> -----Original Message-----
> From: Ryan Lynch [mailto:ryan.b.lynch at gmail.com] 
> Sent: Tuesday, October 27, 2009 11:14 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerberos at mit.edu
> Subject: Re: SASL binding with SSL encryption
> 
> A suggestion, from my past experiences: Have you confirmed 
> that your "ping-pong" results are always coming from the same 
> AD domain controller? If not, try tracing the packet traffic, 
> or just increasing your client-side debug verbosity. If the 
> success vs. failure results can be correlated to different 
> DCs, this may be a configuration issue on one of your DCs.

I have tried sasl binding with ssl encryption (unsuccessfully) against two different ADs. One in Windows 2003 Server, and the other is in Windows 2000 Server. This 2003 server and 2000 server are different domain controllers. In contrast, when the same thing is done against AD in Windows 2008 Server (patched with hotfix http://support.microsoft.com/kb/957072), it works perfectly.

Therefore, I guess the problem is due to some bug in Windows 2000/2003 Server. By the way, tracing network packets is quite hard for sasl binding with ssl encryption, coz all the packets are encrypted, not plain LDAP ones.

Thanks,
Xu Qiang




More information about the Kerberos mailing list