AD authentication using DIGEST-MD5: users have to reset password?
We are using DIGEST-MD5 to authenticate users against Active Directory. Our application ask users for user name and password and pass them to the attached java code. The strange thing is that it works for about 98% of users and it won't work for 2% of users. For those 2% of users, they can login into our domain but the same password won't work for our application.
We have found the workaround will be to ask those users to change their Windows password and after that they will be able to login.
My question is why= changing a user's password will make a difference for those 2% users? I am really puzzled.
Thanks!
try {
Hashtable authEnv = new Hashtable();
//set security credentials, note using DIGEST-MD5
//Requires user account to be stored with reversible encryption
authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
authEnv.put(Context.PROVIDER_URL, ldapURL);
authEnv.put(Context.REFERRAL,"follow"); // required
authEnv.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
authEnv.put(Context.SECURITY_PRINCIPAL, creds.getUsername());
authEnv.put(Context.SECURITY_CREDENTIALS, creds.getPassword());
DirContext ctx1 = new InitialLdapContext(authEnv,null);
} catch (Exception ex) {
logger.info("Error authenticating user " + creds.getUsername(), ex);
throw new AuthenticationException("Authentication Failed for user " + creds.getUsername());
}
Make sure which version of AD you are using: AD 2000 or AD 2003. For AD 2000, reversible encryption is required and it's not secure. That's why lots administrators do not like it. But for AD 2003, there is no need for password to be stored in reversible way. But there is limitation as to the client application. What works for AD 2000 may not work for AD 2003. For details, you can check the link below:
http://www.forumeasy.com/forums/thread.jsp?tid=115170863235&fid=ldapprof5&highlight=Why+DIGEST-MD5+Authentication+Does+Work
which summarized all working and not-working cases of Digest-Md5 authentication for SunOne, AD 2000 and AD 2003. It's quite informative.
Similar Messages
-
Can J2ME use Digest-MD5 Authentication?
We are writing a Java application with J2ME for cellphones which will use Microsoft MapPoint.net services that requires Digest-MD5 Authentication. Can J2ME use Digest-MD5 Authentication?
Well, you can either implement it yourself or take a look at :
http://java.sun.com/products/jce/
You will probably not want the whole package, but I think you can have access to the sources, so... :-)
Anthony -
I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
digest-challenge:
realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
digest-response:
username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
The server also accepts a simple uid value.
example: username="bgbrown" -
WebLogic 7.0
I have read a number of questions on how to do these but not many answers, so
after figuring it all out, I thought I would post a message describing all these
tasts (It would be great if BEA would start something like 'HOW-TOs for Linux'
for WebLogic)
-1. Imports required :
import weblogic.jndi.Environment;
import weblogic.management.MBeanHome;
import weblogic.management.WebLogicObjectName;
import weblogic.management.configuration.DomainMBean;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authentication.AuthenticationProviderMBean;
import weblogic.management.security.authentication.GroupEditorMBean;
import weblogic.management.security.authentication.UserEditorMBean;
import weblogic.management.security.authentication.UserPasswordEditorMBean;
import weblogic.security.providers.authentication.*;
0. Code to retrieve DefaultAuthenticatorMBean (this code is running inside WebLogic
server - I have it inside EJB):
DefaultAuthenticatorMBean authBean;
Context ctx = new InitialContext();
MBeanHome mbeanHome = (MBeanHome) ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
//Find UserEditorMBean
DomainMBean dmb = mbeanHome.getActiveDomain();
SecurityConfigurationMBean scmb = dmb.getSecurityConfiguration();
RealmMBean rmb = scmb.findDefaultRealm();
AuthenticationProviderMBean[] providers = rmb.getAuthenticationProviders();
for (int i = 0; i < providers.length; i++) {
if (providers[i] instanceof DefaultAuthenticatorMBean) {
authBean = (DefaultAuthenticatorMBean) providers;
break;
1. Create/Drop/Update users
to perform these tasks, the user must be logged in into weblogic and be in Administrators
group. Then, the code is as follows:
create user: authBean.createUser(username, password, description);
remove user: authBean.removeUser(username);
change user's description: authBean.setUserDescription(username, newDescription);
remove user from group: authBean.removeMemberFromGroup(groupname, username);
add user to group: authBean.addMemberToGroup(groupname, username);
2. Change other users' passwords (MUST BE ADMIN TO DO THIS - by Admin I mean be
a member of Administrators group)
authBean.resetUserPassword(username, newPassword);
3. Change your own password:
this is a bit trickier, because if you are not an admin, you can't change your
own password!!!! This is a part that I personally don't understand - seems like
a screw up on BEA's part. So, to allow users to change their own passwords, you
must change security context in the middle of processing to that of Admin user
and run this function as Admin user. Although a bit ackward, it's very easy to
do. Suppose you have two EJBs - EJB A and EJB B. EJB A does normal processing
for the user and always runs in logged in user's security context. Now, suppose
you want to add a method to EJB A to change current password. The method may
look like:
public void changePassword(String logon, String oldpwd, String newpwd)
throws some exceptions
Now, there is no way to do it in EJB A, because for most users, it will run in
a 'non-admin' security context. So, to get around it, you create another
EJB - EJB B. This EJB has one method:
public void changePassword(String logon, String oldpwd, String newpwd)
throws some exceptions
and one major difference - this EJB always runs in a secrity context of admin
user. To get an EJB B running 'as admin user', all you have to do in EJB A is
the following
EJB A:
public void changePassword(String logon, String oldpwd, String newpwd)
Hashtable props = new Hashtable();
props.put(Context.SECURITY_PRINCIPAL, "wlmanager");
props.put(Context.SECURITY_CREDENTIALS, "password");
// get context that with different credentials
Context ctx = new InitialContext(props);
EJBBHome home = (EJBBHome) ctx.lookup("EJBBHome");
EJBBLocal adminEJB = home.create();
adminEJB.changePassword(logon, oldpwd, newpwd);
adminEJB.remove();
of course, this poses a problem of hardcoding user id and password for admin user
in your application - you can come up with your own ways to secure that.
THAT's IT!!! You can use the method explained in part 3 to allow non-admin users
to do pretty much everything, however for the sake of security, I would definetly
vote against it and use part 3 to ONLY allow users change their own passwords
Enjoy
AndreyI have a similar question, I would like to edit the artwork for EACH episode in the podcast, as well as have one artwork for the entire podcast series. Any suggestions? This is a podcast that I've created -- I did the same thing for a TV Show where I was able to do custom artwork for each episode, but not one single artwork for the entire series. Does anyone have suggestions of how i should proceed?
Recap:
One image for entire Podcast Series (or TV show)
Different Set of Images for each episode in Podcast. (Understand how to do this in TV show)
Thanks! -
I'm installing iPS SP3a with iMS 5.1, iDS 4.16, iCS 5.0P4... (<i>Sun ONE Starter Kit</i>) on Solaris 8 plataform.
When I access the page for Messenger Express, with a non-default domain, (login: userID@domain) http://<server> a black box with script running down it and the page is then left white with a message:
Loading: Please wait...
and with url:
http://<hostname>/my-domain/en/mail.html?sid=hes6bu6s3n35qm0&lang=en&cert=false
If I edit the url and delete my-domain, all work fine (http://<hostname>/en/mail.html?sid=hes6bu6s3n35qm0&lang=en&cert=false)
I created into <path to iMS>/msg-hostname/html/ a directory with same name of my-domain and copied the "default files and directories" of
<path to iMS>/msg-hostname/html/
to
<path to iMS>/msg-hostname/html/my-domain/
I followed the documentation and modified the "<path to iMS>/msg-hostname/html/main.js" file.
then, I restart all services (../start-msg )
It don't work and... I continue seeing the same message:
Loading: Please wait...
There is some bug in <b>iMS 5.1</b> with which it does that the Messenger Express does not work when is
used several domain ?
Somebody can help me ???
<b>Thanks in advice</b>.Hi,
I think your issue is related to iMS, Please post your query in iMS forums.
Regards,
Raj_indts
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support. -
I inherited an ipad 2 from a friend that had passed away. I went to go and use and discovered that no one knew her password for her itunes account. Which poses a problem as i cannot wipe the ipad without it.
I cannot find "Other" devices. I found Apple Mobile Device under Universal Bus Controllers but cannot see "recovery mode" or any other status. I use Windows Vista.
When I try to restart Apple Mobile Device Service I get the following message: "The Apple Mobile Device Service on Local Computer started then stopped. Some services stop automatically if they are not in use by other services or programs". What does this mean?
During the last 48 hours I was able to see my iPad in iTunes only one time during many attemnpts to connect . I haven't been able to see it during the llast several attempts.
Any suggestions? The standard suggestions have not worked: i.e. stop then start AMDS; tuurn off iPad and PC, then restart both and reconfrom iPad to PC; reload iTunes. -
New user needs to reset password asking for old users password
Attn: My new Mac friends,
I just bought me a mac pro with the operating system
X Already Installed and because its a used macintosh the old administrators logon name appears and of coarse its asking for the password.
I need to know how to reset the password and put my password in it without the use of the disc to the OS x.
Or maybe clear the password at startup by entering ?
(what Key on the Keyboard do I press to enter the computers system bios or adminastrator?
thanks susan ([email protected])Welcome to Apple discussions, Susan!
On a Mac you have to have the system disk in order to reset the administrator password. You should ask whoever you bought the system from to give you the disks. Without these you will be unable to fix many of the problems that occasionally arise. At the VERY least, you should be able to get the password from the person you bought it from.
Just for future reference Macs don't have anything equivalent to the BIOS. That is a PC thing.
Also this forum is for people who want to program on the Mac a much better forum would be the "Installation & Setup" forum under "Tiger"
http://discussions.apple.com/forum.jspa?forumID=752
Finally, it isn't a good idea to post your e-mail address in public forums like this. Spammers can, and do, read through and add your address to their lists. Additionally the expectation is that all answers will be made to the list, so that others can get the help as well. If you want people t be able to reach you directly, you can go to "My Settings" on the right and add your address there. It is much harder for spammers to get your address that way. If you wan to know that someone has responded to your post, you can "subscribe" using the "My subscriptions" link, also on the right.
Enjoy your Mac! -
See above. My daughter had an iphone on my account. She has not purchaed anything for a while and is required to answer security questions. Cannot rmember wnswers snd us threatening to lock apple id. Help!
Welcome to the Apple Community.
Start here, and reset your security questions, you will receive an email to your rescue address, use the link in the email and reset your security questions.
If that doesn't help or you don't have a rescue address, you might try contacting Apple through iTunes Store Support -
It says sorry you session has expired. Verizon said it is a "apple" problem I have tried many times!!
This can also happen when the internet/3g/4g connection is too slow. Time out errors happen when a website takes more than a certain amount of time to load. The time limit is usually long enough for any website with reasonable connection speed. You might try using a different wifi location. If you are using a computer with an ethernet port, try plugging the ethernet cord into the CPU.
-
Help, my email was hacked, now I can't get in at all. Can I reset the password through an alternate email?
You do realize that there are many, many email providers and without knowing which one you are talking about, there is no way to answer your question?
Which then leads to this ..... Have you contacted your email provider about this? That's probably the best place to start. See what they recommend. -
Did anybody have any problem with using DIGEST-MD5 with iPlanet running on a 2000 Advanced Server?
I have no problem when iPlanet is running on 2000 Professional but always get the error 49 with message: "Internal authentication error." when trying to authenticate the user through SASL DIGEST-MD5. Simple authentication with the same credentials work fine.
Looking at the LDAP packets I can see no differences, that makes me think that this is somehow related to the OS or iPlanet configuration.
In both cases it was the same version iPlanet Server 5.1SP2 with default settings.
BTW: It fails the same way with NT4SP6 Server.Michael,
Sun ONE Directory Server 5.2 is not supported on Windows 2000 Professional. It is only supported on server versions of Windows 2000 (Server and Advanced Server).
You should not have any problems running Directory Server on Windows 2000 Professional, though, but you should always keep in mind that the product has not been tested and is not supported on this platform.
Bertold -
AuthenticationException in DIGEST-MD5 in LDAP
hi,
when iam trying to use DIGEST-MD5 as Context.SECURITY_AUTHENTICATION it showingup the following Exception
here is my code
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import java.util.Hashtable;
import java.net.*;
public class LdapAuth
public static void main(String[] args)
// Set up environment for creating initial context
Hashtable authEnv = new Hashtable(11);
String userName = "sm0013391";
String passWord = "East321";
String base = "ou=people,dc=company,dc=com";
String dn = "sAMAccountName=" + userName + "," + base;
authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
authEnv.put(Context.PROVIDER_URL, "ldap://company.com");
authEnv.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5 ");
authEnv.put(Context.SECURITY_PRINCIPAL, dn);
authEnv.put(Context.SECURITY_CREDENTIALS, passWord);
try {
DirContext authContext = new InitialDirContext(authEnv);
System.out.println("Authentication Success!");
} catch (AuthenticationException authEx)
System.out.println("Authentication failed!");
authEx.printStackTrace();
catch (NamingException namEx) {
System.out.println("Something went wrong!");
namEx.printStackTrace();
}when i am run this program it shows..
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
at LdapAuth.main(LdapAuth.java:35)
plz any one have idea on this..iam using j2sdk1.4.1
is there any need to include any jar files to j2sdk1.4.1??? to run this
need help onthisWhy don't you at least look up RFC 2251 and understand what LDAP Error 49 really means ?
If you look at the post titled JNDI, Active Directory & Authentication (part 3) (Digest-MD5) available at http://forum.java.sun.com/thread.jspa?threadID=581868&tstart=150
you will clearly see that submitting the distinguished name as the user's credential is not supported by Active Directory for Digest-MD5 authentication. -
Authentication using userCertificate and SASL External
hi!
I try to authenticate using SASL "External" and SSL.
The SSL connection works fine, also SASL when using "Digest-MD5" but when I try to authenticate using "External" I get connected as anonymous.
Here is what I did:
I created a self-signed certificate with owner "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org".
My client has this certificate in it's keystore.
The server has an entry with "dn=uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" an this entry has the userCertificate attribute, which also contains my self-signed certificate.
I edited the "certmap.conf" file like this:
certmap default default
default:DNComps
default:FilterComps uid
default:verifycert on
As I understood the manual, this means the server should search the directory for an RDN "uid=xyz" and check if the certificate of this user is the same as the one provided by the client. If it is, the client should get the permissions of this entry.
But in the logfile I always get this message:
conn=4 fd=1148 slot=1148 SSL connection from 172.16.0.190 to 172.16.0.190
conn=4 SSL 128-bit RC4
conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
conn=4 op=1 SRCH base="uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" scope=0 filter="(objectClass=*)" attrs="entryid"
conn=4 op=1 RESULT err=0 tag=101 nentries=1 etime=0
conn=4 op=2 fd=1148 closed - A1
So, one possibility is I understood something completly wrong and the other is the server doesn't find the entry "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" because of any misconfiguration or I need a user certificate, which has been issued by a CA...
Can anyone help me?
Thanks a lot!
FlorianNikolay,
Assuming you mean authenticaion to your developed application and not the HTML DB facilities, yes you can do that. Take a look at the custom_page_sentry function that appears on this forum in several threads, e.g., Re: NTLM with Cookies ... - is someone there After you change this function to meet your requirements (cookie names, etc.) and compile it in your application's schema, you'd create a new authentication schema and type 'return custom_page_sentry;' into the page sentry function field. Then enter a URL to your site's login page into the Invalid Session URL field. Then make the new authentication scheme the current scheme. Of course, with this solution, you are responsible for making it as secure as you need it to be, preventing cookie forgery/theft, etc.
Scott -
How can I get a list of users with reset password ability?
We are trying to tighten our security, but thanks to the environment we are in this is a bigger task than it should be. As part of this I have been asked to get a list of users who have the ability to reset other users passwords. there are the obvious suspects,
domain admins, service desk etc., but we also appear to have random people who can do this because of a requirement during test or development stages way back. Is there a way to get this, I looked at using powershell but there doesn't seem to be much out there
to give me a pointer, things like ADManager+ do not work, when I try to search on permissions it sits there doing nothing then crashes.
Is there a way to build a function using powershell that can do this or is there some third party cmdlet or app that will provide me this info?
Any help gratefully accepted.Hi,
Based on my knowledge, except for those default groups users, such as domain admins and enterprise admins and so on, have reset password ability for other users, we can use delegation control to give other common users permissions to reset password for others,
to view or delete Active Directory Delegated Permissions, please go through the below article:
https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
And if you were editing single user's security tab to give specific users reset password permissions, then I think we should create a script to get all those users, for scripting, please also post in the official scripting guys forum:
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
Regards,
Yan Li
Regards, Yan Li -
Why do we have to change passwords every time we do something on the iPad?
WHy do we have to reset passwords every time we do something on iPad?
You shouldn't have to. It sounds like you may have content on the device associated with more than one apple id. If that's the case then, you may be entering a password for one account when you should be entering another.
I would suggest using only one apple id username on the device and delete any content associated with another.
Maybe you are looking for
-
Problem with Microsoft All-in-One Media Keyboard
Hello, I found a problem with this keyboard when I was playing game. If I'm holding Shift + W and then i'm pressing D too (to turn right or rather to walk straight and to the right) it doesn't work. This same is happening if I'm holding Shift + D + W
-
How can I connect to an oracle database remotely using telnet in DIAdem?
I need to query an oracle database on a remote server and store the result back in DIAdem. Does anyone know how to telnet through diadem and return the result?
-
Hello all, I am sorta new to taking Raw photographs and I have been been using Adobe Bridge/Camera Raw to edit. When I take my photos (I am using a Canon t2i) I have it set to save a raw and a jpg. When I view these images in Adobe Bridge/Camera Raw
-
Iphone screen is white, still plays music and turns on..Whats wrong?
I brought my iphone up to the snow with me. Unfortunetly it got wet. After seeing this I dried it off and now its sitting in rice. When I turn it on, the screen is white, yet it charges and I can slide it open and play music. So I know the phone stil
-
Queue Table = Queue Mapping
As i understand it, having a queue table of same object type as the queue gives benefit of message peeking, better auditing & debugging capabilities. Does this mean if i modify the object type to add/drop a column, i need to drop/recreate the queue t