6

Microsoft introduced a 'LdapEnforceChannelBinding' option requiring clients to provide channel binding information in order to connect to AD over SSL/TLS. After this has enabled in AD, Java applications which use Kerberos/ LDAP authentication receive following error from the server.

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580

My code uses LoginContext to authenticate and DirContext with GSSAPI security mechanism.

Is there a way to enable channel binding in Java code to fix this issue?

pasanbsb
  • 445
  • 2
  • 4
  • 13
  • 2
    You don't need TLS when you use Kerberos. Simply require `qop=auth-conf`. – Michael-O Jan 18 '20 at 20:39
  • 1
    Please follow: http://mail.openjdk.java.net/pipermail/security-dev/2019-December/021052.html – Michael-O Jan 18 '20 at 20:40
  • We tried above options but they are not working. Using qop=auth-conf with LDAP connection is fine & it provides integrity & privacy protection. But we are using LDAPS. With LDAPS if you enable ldap channel binding(value=2), then we are getting above error. Is there any JAVA Library/API that supports "LDAP Channel Binding"? – jasmin9891 Feb 03 '20 at 06:00
  • @Michael-O, what if we want to use ldaps with kerberos? – jasmin9891 Feb 05 '20 at 10:10
  • @jasmin9891 Technically, I see no benefit if you use AES256. – Michael-O Feb 05 '20 at 10:21
  • @pasabsb have you found a solution? – typik89 May 04 '20 at 21:07

1 Answers1

3

This is a known issue with OpenJDK and is supposedly implemented in JDK 16 which is in early access but is planned to be backported to JDK 8, though I haven't gotten it to work yet.

Here is the bug report: https://bugs.openjdk.java.net/browse/JDK-8245527

See my issue here for more details. LDAPS Channel Binding with GSS

thetechnician94
  • 545
  • 2
  • 21