Change password in Active Directory using the JNDI GSS-API/Kerberos

Similar Messages

• Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

  Hello,
  I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
  but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
  *javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
  *If anyone can help me figure out why it doesn't work, that would be great!*
  P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
  Here's my java code:
  {code}import javax.naming.*;
  import javax.security.auth.*;
  import java.security.PrivilegedAction;
  import java.io.UnsupportedEncodingException;
  public void changeSecret((String uid, String oldPassword, String newPassword)
       throws NamingException, ACException{
  try {
       K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
       LoginContext lc = new LoginContext("marker", cb);
       lc.login();
       Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
       catch(LoginException e) {
       try {
            lc.logout();
       catch(LoginException e) {
  }ChangePasswordAction.java is:import javax.naming.*;
  import javax.naming.naming.directory.*;
  import java.io.UnsupportedEncodingException;
  private class ChangePasswordAction implements PrivilegedAction {
       private String uid;
       private String quotedOldPassword;
       private String quotedNewPassword;
       public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
            this.uid = uid;
            quotedOldPassword = "\"" + oldPassword + "\"";
            quotedNewPassword = "\"" + newPassword + "\"";
       public Object run() {
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
            env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
            try {
                 DirContext ctx = new InitialDirContext(env);
                 ModificationItem[] mods = new ModificationItem[2];
                 byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
                 byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
                 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
                 ctx.modifyAttributes(uid, mods);
                 ctx.close();
            } catch (NamingException e) {
            } catch (UnsupportedEncodingException e) {
            return null;
  }K5CallbackHandler is:import javax.security.auth.callback.*;
  final class K5CallbackHandler
  implements CallbackHandler {
       private final String name;
       private final char[] passwd;
       public K5CallbackHandler(String nm, String pw) {
            name = nm;
            if(pw == null) {
                 passwd = new char[0];
            else {
                 passwd = pw.toCharArray();
       public void handle(Callback[] callbacks)
       throws java.io.IOException, UnsupportedCallbackException {
            for(int i = 0; i < callbacks.length; i++) {
                 if(callbacks[i] instanceof NameCallback) {
                      NameCallback cb = (NameCallback) callbacks;
                      cb.setName(name);
                 else {
                      if(callbacks[i] instanceof PasswordCallback) {
                           PasswordCallback cb = (PasswordCallback) callbacks[i];
                           cb.setPassword(passwd);
                      else {
                           throw new UnsupportedCallbackException(callbacks[i]);
  }The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
  marker {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

  This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
  My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
  Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
  In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
  Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
  //Eg. auth-conf; confidentiality, auth-int; integrity
  //confidentiality is required to set a password
  env.put("javax.security.sasl.qop","auth-conf");
  //require high strength 128 bit crypto
  env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
  You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
  Good luck.

• How to change password in Active Directory from a Mac

  When loggin into Active Directory I can enter my password without a problem, but I am required to change it periodically and I can't see an option for changing the password. Does anyone have experience with this on their Mac when accessing Active Directory?
  Thanks

  In the accounts section of system preferences there should be a Change Password… button next to to your account picture. That's how we do it in Tiger, but it should work in Leopard too.

• Creating MailBox-enabled Users In Active Directory Using JNDI

  Thanks to the Various code samples i have come across in this forum i have been able to use the JNDI API to add a new user to the Microsoft Active directory.
  The user account that was added using a combination of the various code samples was already enabled. but the problem is that the user does not have an Exchange MailBox created/enabled as well.
  When attempts were made to access the users IMAP mailbox from an external webmail client, the following message:
  "No Such Object On The Server"
  Was Recieved.
  I am wondering wether there is an attribute i am missing out. or something.
  i would welcome any suggestions.
  please treat as urgent.
  thank you in anticipation
  Below is the list of attributes i set:
  BasicAttributes ba=new BasicAttributes();
  ba.put(new BasicAttribute("userPrincipalName","[email protected]"));
  ba.put(new BasicAttribute("sAMAccountName","fagu"));
  ba.put(new BasicAttribute("title","Anyhow"));
  ba.put(new BasicAttribute("mail","[email protected]"));
  ba.put(new BasicAttribute("mailNickname","fagu"));
  ba.put(new BasicAttribute("objectClass","user"));
  ba.put(new BasicAttribute("displayName","Festus Agu"));
  ba.put(new BasicAttribute("sn","Agu"));
  ba.put(new BasicAttribute("userAccountControl","66048"));
  //ba.put(new BasicAttribute("unicodePwd ","fagu"));
  ba.put(new BasicAttribute("mDBUseDefaults","TRUE"));
  ba.put(new BasicAttribute("homeMTA","CN=Microsoft MTA,CN=XSOCKET2,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=SocketWorks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=socketworkscorp,DC=localdomain"));
  ba.put(new BasicAttribute("msExchHomeServerName", "/o=SocketWorks/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=XSOCKET2"));
  ba.put(new BasicAttribute("distinguishedName","CN=Festus"));

  I am trying to create a MailBox enabled user in AD.I am setting all the attributes that are mentioned above.
  Still i am unable to create a user.I guess i am messing up with password and getting error "javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB,
  problem 5003 (WILL_NOT_PERFORM), data 0"
  Is it that SSL is must to create a user.I saw a certificate on Exchange server.But i am using a simple protocal to create a user.
  Please help me with the steps needed to create a user if i have to use SSL or is there is any settings to be turned on the server.
  Thanks!!
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             

• HT4759 My iCloud email address and my apple ID are different. I would like to change my iCloud to be the same as my apple ID. However I don't know my iCloud password and don't use the email address it belongs to. When I try to change the password, apple b

  My iCloud email address and my apple ID are different. I would like to change my iCloud to be the same as my apple ID. However I don't know my iCloud password and don't use the email address it belongs to. When I try to change the password, apple brings me to a page to reset my apple ID password (which I know and don't want to change). I have even tried to delete my iCloud account completely to start again but am not allowed without the iCloud password (which I don't have) there doesn't seem to be a place to change the email address of iCloud. What can I do?

  This is the answer that I had expected, so in this case you could only change your gmail.com address to another providers email addres e.g. outlook.com, yahoo.com, etc., but you won't be able to change the gmail.com address to a icloud.com email address. Apple just won't let you do that.
  Your iCloud account with @icloud.com email address and you Apple ID with gmail.com address are already connected and as I said before, Apple just let you merge this two IDs together.

• I just set an administrators name (my full name) and password for parental controls (using the one I always use) and now after restarting and trying to make changes to aprental controls it does not recognize my password

  I just set an administrators name (my full name) and password for parental controls (using the one I always use) and now after restarting and trying to make changes to aprental controls it does not recognize my password

  Hello, do you have another admin account to log into for a test?

• I changed my Apple ID and password. When I use the Apple ID it still show up at old Apple ID. I can't login or purchase anything

  I changed my Apple ID and password. When I use the Apple ID it still show up at old Apple ID. I can't login or purchase anything??? What can I do??

  Hi,
  I had this problem too. Log out on everything you can be logged on with your apple id. After that log in with your new email and password. Hope it helps!

• Portal Password Reset - Active Directory - Urgent

  Friends
  We are using SAP Portal 6.0 SP 18.  The Portal UME data source has been configured with Microsoft ADS.
  Now we have an requirement to change the user Password in the Active Directory from the Portal.
  How can we achieve this...?  I am OK even to do some development for this.
  Please let me know the mechanism.

  You can use the UME API to change your own password on a Microsoft Active Directory server, but before that please see the SAP note 876938. Also please see the SAP note 613577, this note have an attachment, it is very helpful. Useful blog <a href="https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1789">User management API in WebDynpro</a> for how to use UME API's.
  Regards,
  Nitin

• Problem in provisioning user from oim to active directory using ssl

  hi,
  problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
  15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
  15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
  AvailableAD():simple bind failed: 172.16.30.35:636
  15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
  me problems: Must set a query before executing
  com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
  at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
  at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
  at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
  nnectToAvailableNextAD(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
  archResultPageEnum(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
  known Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
  ce)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
  on.run(Unknown Source)
  at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
  ource)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
  ava:520)
  can any one help.
  Thanks and Regards,
  praveen,

  Are you able to connect to AD over SSL through some LDAP Browser ?
  Check the validity of Certificate ?
  Does your certificate appear in the list ?

• How to save hr data in Active directory  using abap

  Hi all
  can any one please help me out how to save hr data in Active directory using LDAP connector
  please help as this is very urgent requirement
  thanks in advance
  Thanks
  Chanti

  What form do you have the user's name in ?
  ANTIPODES\alberteString searchFilter = "(&(objectClass=user)(samAccountName=alberte))";[email protected] searchFilter = "(&(objectClass=user)(userPrincipalName=[email protected]))";Albert EinsteinString searchFilter = (&(objectClass=user)(givenName=Albert)(sn=Einstein))";or using Ambiguous Name Resolution (anr)String searchFilter = "(&(objectClass=user)(anr=Albert Einstein))";or it's even clever enough to useString searchFilter = "(&(objectClass=user)(anr=Einstein Albert))";

• How to add or modify an entry using the JNDI

  Hi all,
  Usually I have used the netscape library to write directory application, now I have to use the JNDI ...
  Could I have some examples about the add modify and delete entry on the directory?
  Thanks a lot!
  M@x

  Download the LDAP Service provider at http://java.sun.com/products/jndi/index.html#download_ldap
  It has some example code too

• Can you set up a new I Tunes account, but still use the same email address, as having problems with it keep telling me it has been disabled, no matter what I do to chnage the passwords, I haven't used the account since 2010?

  can you set up a new I Tunes account, but still use the same email address, as having problems with it keep telling me it has been disabled, no matter what I do to change the passwords, I haven't used the account since 2010?

  Hi eddinchina,
  You should have no need to use the Old Sync account.
  As long as device or devices are Firefox 29 or later (They should all be Firefox 30 now) you should use the New Sync.
  You may use the same email address with both accounts.

• HT5463 I changed  password but can not use new password on phone. Why?

  I changed  password but can not use new password on phone. Why?

  Start with the Settings app
  Settings > iTunes and App Store > tap on your Apple ID and then tap on Sign Out
  Then sign in with your correct Apple ID and password.

• Our granddaughter has a ipod. She's getting a iphone and a mini idpad.  what is the best way to set them up. Does she need a new apple id and password or would she use the same one she has for her ipod

  our granddaughter has a ipod. She's getting a iphone and a mini idpad.  what is the best way to set them up. Does she need a new apple id and password or would she use the same one she has for her ipod

  Just use the same one on all devices.

• How to save HR data in Active Directory using ABAP i.e thru LDAP Connector

  Hi All,
         Can any one please help me out how
         to save HR data in Active directory
         using LDAP Connector ?             
         Please help ASAP as it is very urgent .
  Thanks
  Jitendra

  There are 100 of such scripts are there online.
  here are few tips and codes. you will get more.  
  https://gallery.technet.microsoft.com/scriptcenter/Feeding-data-to-Active-0227d15c
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/31/use-powershell-to-modify-existing-user-accounts-in-active-directory.aspx
  http://powershell.org/wp/forums/topic/ad-import-csv-update-attributes-script/
  Please mark this as answer if it helps