Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-559

AdvancedLdapLoginModule: Service Principal is not constructed from java.naming.provider.url

    XMLWordPrintable

    Details

      Description

      When using org.jboss.security.negotiation.AdvancedLdapLoginModule chained with SPNEGO/Kerberos against Active Directory, the service principal specified in the TGS-REQ is ldap/foo.com, even though java.naming.provider.url is set to LDAP://dc1.foo.com.

      Because of this, the /Secured test in the jboss-negotiation-toolkit will fail to bind to AD/LDAP because the KDC returns an error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.

      The correct service principal name that the TGS-REQ should request is LDAP/dc1.foo.com because dc1.foo.com is what was provided in java.naming.provider.url.

        Attachments

          Activity

            People

            Assignee:
            dlofthouse Darran Lofthouse
            Reporter:
            jar349 John Ruiz (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: