AuthenticationException  in  DIGEST-MD5 in LDAP

Similar Messages

• Reuse the LDAP connection when Using SASL DIGEST-MD5

  I have problem to use the same ldap connection for multiple SASL authenticaiton.
  step1, LDAPConection conn=new LDAPCo...
  conn.conect()..
  step2, do a SASL DIGEST-MD5, successfully get a challenge from server and server confirmation after the response is correct.
  step3, I want to use the same connection for another authetincation of different user, some how the server did not give back the challenge and reject the authenticaiton request again.
  So my question is how can we reuse the same connection for SASL authentication?
  Any switch or reset on the LDAP connection or the LDAP server has to be configured in some way to take multiple authentication using the same connection?

  More than fifty people have read this post, but there are no replies as
  of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
  supported by the Novell CSharp library."
  danielnapierski;1995522 Wrote:
  > I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
  > using the Novell CSharp library. Can anyone explain how this is done,
  > or point me to a code example?
  >
  > I can connect, bind, and search this LDAP server using Apache Directory
  > Studio, so I know that my credentials are correct.
  >
  > Also, I have already used the Novell CSharp library for searching other
  > LDAP servers using simple authentication, and SSL, but never SASL
  > DIGEST-MD5.
  >
  > Thanks in advance for any help.
  danielnapierski
  danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
  View this thread: http://forums.novell.com/showthread.php?t=414964

• AD authentication using DIGEST-MD5: users have to reset password?

  We are using DIGEST-MD5 to authenticate users against Active Directory. Our application ask users for user name and password and pass them to the attached java code. The strange thing is that it works for about 98% of users and it won't work for 2% of users. For those 2% of users, they can login into our domain but the same password won't work for our application.
  We have found the workaround will be to ask those users to change their Windows password and after that they will be able to login.
  My question is why= changing a user's password will make a difference for those 2% users? I am really puzzled.
  Thanks!
  try {
  Hashtable authEnv = new Hashtable();
  //set security credentials, note using DIGEST-MD5
  //Requires user account to be stored with reversible encryption
  authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  authEnv.put(Context.PROVIDER_URL, ldapURL);
  authEnv.put(Context.REFERRAL,"follow"); // required
  authEnv.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
  authEnv.put(Context.SECURITY_PRINCIPAL, creds.getUsername());
  authEnv.put(Context.SECURITY_CREDENTIALS, creds.getPassword());
  DirContext ctx1 = new InitialLdapContext(authEnv,null);
  } catch (Exception ex) {
  logger.info("Error authenticating user " + creds.getUsername(), ex);
  throw new AuthenticationException("Authentication Failed for user " + creds.getUsername());
  }

  Make sure which version of AD you are using: AD 2000 or AD 2003. For AD 2000, reversible encryption is required and it's not secure. That's why lots administrators do not like it. But for AD 2003, there is no need for password to be stored in reversible way. But there is limitation as to the client application. What works for AD 2000 may not work for AD 2003. For details, you can check the link below:
  http://www.forumeasy.com/forums/thread.jsp?tid=115170863235&fid=ldapprof5&highlight=Why+DIGEST-MD5+Authentication+Does+Work
  which summarized all working and not-working cases of Digest-Md5 authentication for SunOne, AD 2000 and AD 2003. It's quite informative.

• Are there any known issues concerning using DIGEST-MD5 SASL authentication with iPlanet Directory Server 5.0 on Windows NT 4.0?

  I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
  digest-challenge:
  realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
  digest-response:
  username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"

  Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
  example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
  The server also accepts a simple uid value.
  example: username="bgbrown"

• Using tls:sasl/DIGEST-MD5 with client authentication

  Hi
  Have installed a certificate on the server and enabled it. Using Netscape i got the cert7.db and key3.db
  These work with ldapsearch with -Z -p options to get data securely through port 636.
  But when i copy db file to /var/ldap on the Solaris 8 client, and use a profile with tls:sasl/DIGEST-MD5 or tls:simple
  i get :
  Mesg: Session error , no avalible connection. And openConnection: sasl/DIGEST-MD5 (or simple) bind failed - Invalid credentials.
  Must i use Certificate based Authentication instead?
  Like the proxyagent must have a certificate installed. Or is there something that must be done to the cert7.db and key3.db files i got from Netscape?

  Im trying to get sasl/DIGEST-MD5 to work with Solaris 9 client. This command work:
  ldapsearch -D "" -w test1234 -o mech=DIGEST-MD5 -o authid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -o authzid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -b "dc=net2,dc=kongsberg,dc=com" "(objectclass=*)"
  Client configured with this:
  ldapclient -v init -a profileName=default -a domainName=net2.kongsberg.com -a proxyDN="cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -a proxyPassword=test1234 172.18.2.19
  Profile:
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com
  NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
  NS_LDAP_SERVERS= 172.18.2.19
  NS_LDAP_SEARCH_BASEDN= dc=net2,dc=kongsberg,dc=com
  NS_LDAP_AUTH= sasl/DIGEST-MD5
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_PROFILE= default
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_BIND_TIME= 10
  messages log on client:
  Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 49 Mesg: openConnection: sasl/DIGEST-MD5 bind failed - Invalid credentials
  Jan 14 08:00:32 panzer last message repeated 1 time
  Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 7 Mesg: Session error no available conn.
  error log on server:
  [14/Jan/2004:08:06:47 +0100] conn=1622 op=2 msgId=-1 - closing - U1
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=-1 msgId=-1 - fd=47 slot=47 LDAP connection from 172.18.2.41 to 172.18.2.19
  [14/Jan/2004:08:06:47 +0100] conn=1622 op=-1 msgId=-1 - closed.
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - RESULT err=49 tag=97 nentries=0 etime=0
  Not sure why i get Invalid credentials, the passwords
  are stored in CLEAR. And you can see i use the same in ldapsearch and ldapclient.

• HOWTO Bind using SASL DIGEST-MD5?

  I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
  using the Novell CSharp library. Can anyone explain how this is done,
  or point me to a code example?
  I can connect, bind, and search this LDAP server using Apache Directory
  Studio, so I know that my credentials are correct.
  Also, I have already used the Novell CSharp library for searching other
  LDAP servers using simple authentication, and SSL, but never SASL
  DIGEST-MD5.
  Thanks in advance for any help.
  danielnapierski
  danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
  View this thread: http://forums.novell.com/showthread.php?t=414964

  More than fifty people have read this post, but there are no replies as
  of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
  supported by the Novell CSharp library."
  danielnapierski;1995522 Wrote:
  > I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
  > using the Novell CSharp library. Can anyone explain how this is done,
  > or point me to a code example?
  >
  > I can connect, bind, and search this LDAP server using Apache Directory
  > Studio, so I know that my credentials are correct.
  >
  > Also, I have already used the Novell CSharp library for searching other
  > LDAP servers using simple authentication, and SSL, but never SASL
  > DIGEST-MD5.
  >
  > Thanks in advance for any help.
  danielnapierski
  danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
  View this thread: http://forums.novell.com/showthread.php?t=414964

• SASL DIGEST-MD5

  Did anybody have any problem with using DIGEST-MD5 with iPlanet running on a 2000 Advanced Server?
  I have no problem when iPlanet is running on 2000 Professional but always get the error 49 with message: "Internal authentication error." when trying to authenticate the user through SASL DIGEST-MD5. Simple authentication with the same credentials work fine.
  Looking at the LDAP packets I can see no differences, that makes me think that this is somehow related to the OS or iPlanet configuration.
  In both cases it was the same version iPlanet Server 5.1SP2 with default settings.
  BTW: It fails the same way with NT4SP6 Server.

  Michael,
  Sun ONE Directory Server 5.2 is not supported on Windows 2000 Professional. It is only supported on server versions of Windows 2000 (Server and Advanced Server).
  You should not have any problems running Directory Server on Windows 2000 Professional, though, but you should always keep in mind that the product has not been tested and is not supported on this platform.
  Bertold

• SASL - Digest MD5 - JNDI Help needed

  Hi All,
  I am using Sunone Directory Server 5.2 and jsdk1.4.1. I tried the Digest-MD5 SASL authentication example given in JNDI tutorial and it worked fine. The problem is , when i try to run the same program thrice or more in succession, it hangs. Actually, the initial context gets created but the operations like simple getAttrs etc does not happen. what could be the problem or rather what is the solution to overcome it.
  Attached below is the sample source code used...
  try {
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://localhost:389/");
  env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
  env.put(Context.SECURITY_PRINCIPAL, "dn:uid=xxx,ou=xxx,dc=xxx,dc=xxx");
  env.put(Context.SECURITY_CREDENTIALS, "xxxxx");
  System.out.println("about to get context");
  DirContext ctx = new InitialDirContext(env);
  System.out.println("got context");
  Attributes attrs = ctx.getAttributes("ldap://localhost:389", new String[]{"supportedSASLMechanisms"});
  System.out.println(attrs);
  } catch (NamingException e) {
    e.printStackTrace();
  }thanks in advance
  sridhar

  As i have metioned , this was the message from the other forum
  I have posted the mail correspondences we had (hope they won't consider this as an offence)...
  There was a bug in the provider. It has been fixed in 1.4.2 and later
  releases.
  Rosanna Lee
  Java Software, Sun Microsystems, Inc
  [email protected]
  Date: Mon, 13 Oct 2003 04:46:49 +0100 (BST)
  From: anala sridhar <[email protected]>
  Subject: JNDI problem
  To: [email protected]
  Hi,
  First, I would like to thank everyone behind the
  excellent JNDI tutorial. It acted as the bible for my
  JNDI learning.
  I tried the sample code ServerSasl.java provided. I
  got it working after a few trials. I tried to get the
  supportedSasl Mechanisms by the Sunone Directory
  Server 5.2 . I got them. Then i tried to authenticate
  using the default Digest-MD5 (am using jsdk 1.4.1).
  When, i try to run the same program in succession, it
  hangs up (4 or 5 times in a row). I am getting the
  initial context with the credentials provided but it
  hangs at doing the simple getAttrs operation. What
  could be the problem?
  Please reply to this query
  thanks in advance
  sridhar

• Message Digest MD5 Problem

  My application downloads a zip file from given URL and also gets message digest (MD5) for the file.
  Then, it creates another message digest and compares them.
  I have tried files from tomcat.apache.org
  The results are below:
  apache-tomcat-6.0.20-deployer.zip (downloaded)
  1b3287c53a12e935a8c965b15af39f07 --> code from the website
  1b3287c53a12e935a8c965b15af39f7 --> code by the application
  apache-tomcat-6.0.20.zip (downloaded)
  714b973e98d47ec2df6d5e1486019f22 --> code from the website
  714b973e98d47ec2df6d5e148619f22 --> code by the application
  I could not understand why 0's are missing in my code. Should I try another files except from Apache?

  try{
               MessageDigest algo = MessageDigest.getInstance("MD5");
               algo.reset();
               algo.update(data);
               byte messageDigest[] = algo.digest();
               StringBuffer hexString = new StringBuffer();
               for (int i=0;i<messageDigest.length;i++) {
                    hexString.append(Integer.toHexString(0xFF & messageDigest));
       System.out.println(hexString.toString());
  catch(NoSuchAlgorithmException e) {
       e.printStackTrace();
  }I have got the content of the file in a byte array --> data.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• What property is used to disable SASL's DIGEST-MD5 domain name check.

  I've read somewhere that I can prevent SASL's DIGEST-MD5 (maybe other mechanisms?) from checking that the hostname specified by the client exactly matches the hostname on the server. Apparently this option is useful in networks where DNS is not set up full and/or correctly.
  Thanks,
  Rowland

  Not an expert. Maybe you can read or debug into the exact place when the names are compared. Anyway, Java is open sourced now.

• Server Switching from STARTTLS to AUTH DIGEST-MD5

  We have been trying to track down the reason why our transaction against our Tumbleweed SMTP servers appear to be switching in midstream from STARTTLS to AUTH DIGEST-MD5 which causes us to get an authentication error. With Wire-shark, we have been capturing the transactions between the servers and CF appears it appears to be the culprit. I am hoping someone can shed some light on what is wrong or direct me on how I can further troubleshoot this issue.
  ---Enviroment --------------------------------------------------------------------------
  Windows Server 2003 Standard
  IIS6
  CF 9 Standard
  ---CFMail Tag -------------------------------------------------------------------------
  <cfmail to="#varTo#" from="#varFrom#" replyto="#varReplayTo#" subject="#varSubject#" useTLS="yes">Msg Body</cfmail>
  ---CF Admin Settings --------------------------------------------------------------
  Server: smtp.xxx123.com
  Port: 25
  User: defined
  Pwd: defined
  TLS: Enabled
  ---Mail Log -------------(two different emails: both bad)--------------
  "Error","scheduler-0","05/20/10","10:57:24",,"failed to connect"
  "Error","scheduler-0","05/20/10","10:57:25",,"Could not connect to SMTP host: smtp.xxx123.com, port: 25"
  ----Exception Log ----------------------------------------------------------------
  "Error","scheduler-2","05/19/10","14:03:22",,"failed to connect"
  javax.mail.AuthenticationFailedException: failed to connect
  at javax.mail.Service.connect(Service.java:322)
  at coldfusion.mail.MailSpooler.getConnection(MailSpooler.java:1199)
  at coldfusion.mail.MailSpooler.deliver(MailSpooler.java:984)
  at coldfusion.mail.MailSpooler.sendMail(MailSpooler.java:905)
  at coldfusion.mail.MailSpooler.deliverStandard(MailSpooler.java:1275)
  at coldfusion.mail.MailSpooler.run(MailSpooler.java:1240)
  at coldfusion.scheduling.ThreadPool.run(ThreadPool.java:201)
  at coldfusion.scheduling.WorkerThread.run(WorkerThread.java:71)
  ----Wire Shark Transaction(s) --------------------------------------------------
  ---Good------------(Red is our CF server replying)------
  220 RNR ESMTP
  EHLO CFxxx-123250-smtp.xxx123.com Hello CFxxx-123. xxx123.edu [19.19.19.19], pleased to meet you
  250-ENHANCEDSTATUSCODES
  250-PIPELINING
  250-8BITMIME
  250-SIZE
  250-DSN
  250-AUTH DIGEST-MD5
  250-STARTTLS
  250-DELIVERBY
  250 HELP
  STARTTLS
  220 2.0.0 Ready to start TLS
  ---End Good---------------------------------------------------------------------------
  ---Bad--------- ---(Red is our CF server replying)---------------------------
  220 RNR ESMTP
  EHLO CFxxx-123
  250-smtp.xxx123.com Hello CFxxx-123. xxx123.edu [19.19.19.19], pleased to meet you
  250-ENHANCEDSTATUSCODES
  250-PIPELINING
  250-8BITMIME
  250-SIZE
  250-DSN
  250-ETRN
  250-AUTH DIGEST-MD5
  250-STARTTLS
  250-DELIVERBY
  250 HELP
  AUTH DIGEST-MD5
  334

  I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
  idsconfig is which "Authentication Methods" the DS will support. The choices being:
  * none
  * simple
  * sasl/DIGEST-MD5
  * tls:simple
  * tls:sasl/DIGEST-MD5
  When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
  could have chosen more than one at that time, but I didn't. What I need to know is how to add support
  for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
  its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
  or caveats I should be aware of beforehand.

• AuthenticationNotSupportedException :SASL support not available DIGEST-MD5 while using JNDI, SASL

  I am using JNDI to use the SASL mechanism to authenticate to the Iplanet Directory server 5.0, and get the above error.
  I have enabled clear text passwords, and then created a test user.Here is the code snippet
       envEnterprise.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
            envEnterprise.put(Context.SECURITY_PRINCIPAL,"test");
            envEnterprise.put(Context.SECURITY_CREDENTIALS,"changed");
  Can you please help me with where it is that I need to make the appropriate changes to get this working
  Thanks,
  sriad

  Sriad,
  I think that the SECURITY_PRINCIPAL field requires a DN and not just a user name. If you created the user using the directory server console, then you can get the DN if you open double-click on the user entry and click on the Advanced... button. The user's DN will probably start with uid=test,dc=...
  I hope this helps.
  Bertold

• SASL's DIGEST-MD5 is causing the smtp authentication failure

  Hello,
  I've asked this question in JavaMail forums [at this link|http://kenai.com/projects/javamail/forums/forum/topics/2944-DIGEST-MD5-sasl-authentication-failing-after-verifying-rspauth] and was forwarded here.
  Basically, I'm trying to authenticate to the email server using JavaMail(latest source) via sasl's Digest-MD5.
  Problem: Looks like sasl's DigestMD5 implementation (com.sun.security.sasl.digest.DigestMD5Client) is returning a null after a successful authentication in evaluateChallenge(). The SMTPTransport thinks this is wrong and sends a "*" to server and the server responds with "Authentication aborted".
  The java doc for SaslClient's evaluateChallenge() says this..
  Returns: The possibly null reponse to send to the server. It is null if the challenge accompanied a "SUCCESS" status and the challenge only contains data for the client to update its state and no response needs to be sent to the server. The response is a zero-length byte array if the client is to send a response with no data.
  In this case, client do need to send a response with no data. I don't know if Digest-md5 implementation is generic and if it's behavior is correct.
  I appreciate any suggestions to solve this problem.
  Thanks

  Not an expert. Maybe you can read or debug into the exact place when the names are compared. Anyway, Java is open sourced now.

• Switching from tls:simple to tls:sasl/DIGEST-MD5

  How can I do this, and can someone post an example of how? Can DS 5.2 support more than one Authentication Method at a time?
  TIA,
  Chris

  I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
  idsconfig is which "Authentication Methods" the DS will support. The choices being:
  * none
  * simple
  * sasl/DIGEST-MD5
  * tls:simple
  * tls:sasl/DIGEST-MD5
  When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
  could have chosen more than one at that time, but I didn't. What I need to know is how to add support
  for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
  its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
  or caveats I should be aware of beforehand.

• Iplanet ds 5.1sp4 + digest-md5 - slapd crash

  Sol9 bundled iplanet directory server with sp4 on Sparc.
  Everything is doing fine, until: when trying to connect into the directory with ms outlook 'secure password authentication' on, serverprocess crashes immediately. No coredumps, nothing left.
  Debugging shows, that outlook tries to bind with DIGEST-MD5, server tries it,
  responds with "auth failed", and crashes with internal authentication error..
  -> Almost everyone can DOS our servers, just knowing its address and clicking 'search'.
  Has anyone any suggestions?

  Ok, that might be it.
  So there is no patch nor documentation across it?
  Makes me wonder how many admins run their servers unaware of that bug..
  Thanks!