1 Reply Latest reply: Feb 2, 2012 4:22 AM by Michael-O RSS

    Digest MD5 auth with JNDI with round round robin

      Hi folks,

      I have some problems performing a SASL bind with Digest MD5 against an AD realm.
      Say this is the realm: realm.company.net

      If I try to connect against: ldap://realm.company.net:3268
      I get a javax.naming.AuthenticationException: [LDAP: error code 49 - 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, vece

      This canonical host is running dozens of replicating DCs in round-robin. I asked our AD experts and they said that is erroneous with Digest MD5. This would require to set a 'ldap/realm.company.net' SPN to each and every DC which would violate the SPN uniqueness forest-wide.

      So, is this a bug in Sun's SaslClient which does not resolve the hostname's SRV records first?
      The same works flawlessly with GSS-API.


        • 1. Re: Digest MD5 auth with JNDI with round round robin
          I have made some investigation. The RFC for Digest-MD5 says this about the host:

          The DNS host name or IP address for the service requested. The
          DNS host name must be the fully-qualified canonical name of the
          host. The DNS host name is the preferred form; see notes on server
          processing of the digest-uri.

          It stays unclear who has to do it but someone has to. Sun's DigestMd5SaslClient does not canonicalize the hostname. Therefore the auth fails. If I use GSS-API, the manager canonicalizes the GSSName for me. That's why it works. So folks, beware.

          Edited by: 910983 on 02.02.2012 02:22