Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SASL binding with SSL encryption

0 views
Skip to first unread message

Xu, Qiang (FXSGSC)

unread,
Oct 27, 2009, 1:56:28 AM10/27/09
to kerb...@mit.edu
Hi, all:

I am using Mozilla LDAP library to do SASL binding with SSL encryption against Active Directory. To make it work, it is necessary to set the security option "maxssf=0".

Still, in testing against AD in Windows 2003 Server (or Windows 2000 Server), the binding result is good and bad alternatively, exhibiting a pingpong style. In contrast, if I do the same test against AD in Windows 2008 Server, the binding is always good.

Is a known issue of AD in Windows 2003/2000 Server, and if there is any patch available? Just want to see if anyone in this list has had the same experience as mine.

Thanks,
Xu Qiang

Ryan Lynch

unread,
Oct 27, 2009, 11:13:54 AM10/27/09
to Xu, Qiang (FXSGSC), kerb...@mit.edu
On Tue, Oct 27, 2009 at 01:56, Xu, Qiang (FXSGSC)
<Qian...@fujixerox.com> wrote:
> Still, in testing against AD in Windows 2003 Server (or Windows 2000 Server), the binding result is good and bad alternatively, exhibiting a pingpong style. In contrast, if I do the same test against AD in Windows 2008 Server, the binding is always good.

A suggestion, from my past experiences: Have you confirmed that your
"ping-pong" results are always coming from the same AD domain
controller? If not, try tracing the packet traffic, or just increasing
your client-side debug verbosity. If the success vs. failure results
can be correlated to different DCs, this may be a configuration issue
on one of your DCs.

-Ryan

Xu, Qiang (FXSGSC)

unread,
Oct 27, 2009, 9:55:36 PM10/27/09
to Ryan Lynch, kerb...@mit.edu
> -----Original Message-----
> From: Ryan Lynch [mailto:ryan.b...@gmail.com]
> Sent: Tuesday, October 27, 2009 11:14 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerb...@mit.edu
> Subject: Re: SASL binding with SSL encryption
>
> A suggestion, from my past experiences: Have you confirmed
> that your "ping-pong" results are always coming from the same
> AD domain controller? If not, try tracing the packet traffic,
> or just increasing your client-side debug verbosity. If the
> success vs. failure results can be correlated to different
> DCs, this may be a configuration issue on one of your DCs.

I have tried sasl binding with ssl encryption (unsuccessfully) against two different ADs. One in Windows 2003 Server, and the other is in Windows 2000 Server. This 2003 server and 2000 server are different domain controllers. In contrast, when the same thing is done against AD in Windows 2008 Server (patched with hotfix http://support.microsoft.com/kb/957072), it works perfectly.

Therefore, I guess the problem is due to some bug in Windows 2000/2003 Server. By the way, tracing network packets is quite hard for sasl binding with ssl encryption, coz all the packets are encrypted, not plain LDAP ones.

Thanks,
Xu Qiang

0 new messages