By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,795 Members | 1,761 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,795 IT Pros & Developers. It's quick & easy.

Error in binding ADAM using windows account

P: 1
Hi All,

I am trying to bind to ADAM instance with a windows user through JNDI and it keeps failing. My ADAM and AD is running on same Windows 2k3 server.
But, through LDP I am able to bind with the same windows user successfully and browse through the entire tree successfully.

The error is as below


Kerberos username [CHOUKSE]:
Kerberos password for CHOUKSE: password
Context initialization attempt failed
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090441, comment: AcceptSecurityContext error, data 56, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknow n Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknow n Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unkno wn Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unkn own Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext (Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(U nknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unkn own Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Un known Source)
at com.nortel.kerberos.action.JndiAction.performJndiO peration(JndiAction.java:63)
at com.nortel.kerberos.action.JndiAction.run(JndiActi on.java:27)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.nortel.kerberos.cli.KerberosAuthenticator.main (KerberosAuthenticator.java:87)

My code is as follows


Expand|Select|Wrap|Line Numbers
  1. package com.nortel.kerberos.cli;
  2.  
  3. import java.util.Hashtable;
  4.  
  5. import javax.naming.Context;
  6. import javax.naming.NamingException;
  7. import javax.naming.directory.DirContext;
  8. import javax.naming.directory.InitialDirContext;
  9. import javax.security.auth.Subject;
  10. import javax.security.auth.login.LoginContext;
  11. import javax.security.auth.login.LoginException;
  12.  
  13. import com.nortel.kerberos.handler.KerberosCallBackHandler;
  14.  
  15. public class KerberosAuthenticator1
  16. {
  17.  
  18.     public static void main(String[] args) {
  19.  
  20.     // 1. Log in (to Kerberos)
  21.     LoginContext lc = null;
  22.     try
  23.     {
  24.         lc = new LoginContext(KerberosAuthenticator.class.getName(),
  25.         new KerberosCallBackHandler());
  26.         // Attempt authentication
  27.         lc.login();
  28.  
  29.     }
  30.     catch (LoginException le) {
  31.         System.err.println("Authentication attempt failed " + le);
  32.         System.exit(-1);
  33.     }
  34.  
  35.     // 2. Perform JNDI work as logged in subject
  36.     Subject.doAs(lc.getSubject(), new JndiAction1(args));
  37.     }
  38. }
  39.  
  40. class JndiAction1 implements java.security.PrivilegedAction
  41. {
  42.     private String[] args;
  43.     public JndiAction1(String[] origArgs)
  44.     {
  45.         this.args = (String[])origArgs.clone();
  46.     }
  47.     public Object run()
  48.     {
  49.         performJndiOperation(args);
  50.         return null;
  51.     }
  52.  
  53.     private static void performJndiOperation(String[] args)
  54.     {
  55.         String dn;
  56.  
  57.         // Set up environment for creating initial context
  58.         Hashtable<String, String> env = new Hashtable<String, String>();
  59.  
  60.         env.put(Context.INITIAL_CONTEXT_FACTORY, 
  61.             "com.sun.jndi.ldap.LdapCtxFactory");
  62.  
  63.         // Must use fully qualified hostname
  64.         env.put(Context.PROVIDER_URL, 
  65.             "ldap://ac007899.shell.com:50000");
  66.  
  67.         // Request the use of the "GSSAPI" SASL mechanism
  68.         // Authenticate by using already established Kerberos credentials
  69.         env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  70.         // Optional first argument is comma-separated list of auth, auth-int, 
  71.         // auth-conf
  72.         if (args.length > 0) {
  73.             env.put("javax.security.sasl.qop", args[0]);
  74.             dn = args[1];
  75.         } else {
  76.             dn = "O=Nortel,C=CA";
  77.         }
  78.  
  79.         try
  80.         {        
  81.             /* Create initial context */
  82.             DirContext ctx = new InitialDirContext(env);
  83.  
  84.             System.out.println(ctx.getAttributes(dn));
  85.  
  86.             // Close the context when we're done
  87.             ctx.close();
  88.         }
  89.         catch (NamingException e)
  90.         {
  91.             System.err.println("Context initialization attempt failed");
  92.             e.printStackTrace();
  93.         }
  94.     }
  95. }
Expand|Select|Wrap|Line Numbers
  1. package com.nortel.kerberos.handler;
  2.  
  3. import javax.security.auth.callback.*;
  4. import java.io.IOException;
  5. import java.io.BufferedReader;
  6. import java.io.InputStreamReader;
  7.  
  8. /**
  9.  * KerberosCallBackHandler a callback handler for use with SASL. Used with
  10.  * KerberosAuthenticator.java.
  11.  */
  12. public class KerberosCallBackHandler implements CallbackHandler
  13. {
  14.    public void handle( Callback[] callbacks ) throws java.io.IOException,
  15.          UnsupportedCallbackException
  16.    {
  17.       for (int i = 0; i < callbacks.length; i++)
  18.       {
  19.          if (callbacks[i] instanceof NameCallback)
  20.          {
  21.             NameCallback cb = (NameCallback) callbacks[i];
  22.             cb.setName( getInput( cb.getPrompt() ) );
  23.          }
  24.          else if (callbacks[i] instanceof PasswordCallback)
  25.          {
  26.             PasswordCallback cb = (PasswordCallback) callbacks[i];
  27.  
  28.             String pw = getInput( cb.getPrompt() );
  29.             char[] passwd = new char[pw.length()];
  30.             pw.getChars( 0, passwd.length, passwd, 0 );
  31.  
  32.             cb.setPassword( passwd );
  33.          }
  34.          else
  35.          {
  36.             throw new UnsupportedCallbackException( callbacks[i] );
  37.          }
  38.       }
  39.    }
  40.  
  41.    /**
  42.     * A reader from Standard Input. In real world apps, this would typically
  43.     * be a TextComponent or similar widget.
  44.     */
  45.    private String getInput( String prompt ) throws IOException
  46.    {
  47.       System.out.print( prompt );
  48.       BufferedReader in = new BufferedReader( new InputStreamReader(
  49.             System.in ) );
  50.       return in.readLine();
  51.    }
  52. }
Here is my krb5.conf file, please check if incase I am missing anything.

Expand|Select|Wrap|Line Numbers
  1. #krb5.conf
  2. [libdefaults]
  3.     default_realm = SHELL.COM
  4.     default_checksum = rsa-md5
  5.  
  6. [realms]
  7.     SHELL.COM = {
  8.           kdc = ac007899.shell.com
  9.           admin_server = ac007899.shell.com
  10.           default_domain = shell.com
  11.     }
  12.  
  13. [domain_realm]
  14.     .shell.com= SHELL.COM
  15.     shell.com= SHELL.COM
  16.  
  17. [appdefaults]
  18.     kinit = {
  19.           renewable = true
  20.           forwardable= true
  21.     }
I am able to authenticate AD with following changes in code:

Expand|Select|Wrap|Line Numbers
  1. // Connect to the AD instance
  2. String ldapURL = "ldap://ac007899.shell.com:389";
  3. env.put(Context.PROVIDER_URL,ldapURL);
  4. ....
  5. //Specify the Base for the search
  6. dn = "DC=shell,DC=com";

Please let me know, if I am missing anything.
Please help me out, I am stuck with this problem.
Dec 6 '07 #1
Share this question for a faster answer!
Share on Google+

Post your reply

Sign in to post your reply or Sign up for a free account.