Active Directory LDAPS and Java 181 LDAPS Verification

active-directory ssl ldap java
7,052

We hit the same issue and there are few solutions to fix this.

Root cause: It would only NOT work when you use the pool hostname.

  • Fix 1: Include -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to your application JAVA_OPTS and restart the tomcat/application server. This is to avoid strict end point verification.

  • Fix 2: Use the exact host name (FQDN) mentioned in LDAPS presentation certificate.

Know your LDAPS server FQDN: openssl s_client -connect [LDAPS server IP/DNS]:636. Try to connect LDAPS server using IP/DNS. It displays the exact FQDN in CN= attribute. Use that FQDN to configure LDAPS server.

  • Fix 3: Import the LDAPS presentation certificate (not the root or intermediate) in the application server.
Share:
7,052
Kyle Brandt
Author by

Kyle Brandt

Updated on September 18, 2022

Comments

  • Kyle Brandt
    Kyle Brandt over 1 year

    Java 8u181 (Java 8 Update 181) enhances security around LDAPS connections:

    Change: Improve LDAP support Endpoint identification has been enabled on LDAPS connections. To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default. Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification. Define this system property (or set it to true) to disable endpoint identification algorithms. JDK-8200666 (not public)

    One of these enhancements seem to be checking that the domain name is on the certificate. However, the default behavior of Active Directory seems to be to only have the name for the AD server that happens to be returned under the many A records of the AD domain name - and it seems rare that clients will support a list of hosts.

    I also see this pattern outside of Java (i.e. Go programs will check this now as well see Go 1.10 release notes on Certificate.Verify).

    There is a somewhat intimidating technet article on getting names on the cert in a way that will be renewed: https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/

    I'm sure I'm not the only one here running into this:

    1. Has anyone had success in either adding the name to the cert, or maybe using a load balancer in front of LDAPS for generic non-AD specific LDAP clients?
    2. Does anyone know if Microsoft is on this issue in any way that might have changes coming in the future that make "disable verification and wait" a sane tactic?
    • Kyle Brandt
      Kyle Brandt over 5 years
      lol, and also Impacting my Internal Jira instance - noticed as I went to update our Internal Jira ticket on this issue :P
    • Kyle Brandt
      Kyle Brandt over 5 years
      Hmm... openssl says the cert is notBefore=Sep 6 18:10:18 2018 GMT so it is possible there has been a change and I am conflating things, is the AD domain name usually on the ldaps cert?
    • Greg Askew
      Greg Askew over 5 years
      I've always had multiple SAN's for DC certs, but not for this reason.
    • Greg Askew
      Greg Askew over 5 years
      Also, I believe the reason we have multiple SANs was due to the introduction of the setting "Require strict KDC validation", which is where the client validates the identity of the domain controller/name/correct cert EKU's it is connecting to (in smart card environments at least).
  • symcbean
    symcbean over 5 years
    Disabling validation is NOT a "fix"! There are a surprising amount of historical errors relating to this area in Java, but from 1.8.181 it seems to be relatively sensible. The caveat is that (like most modern browsers) the hostname from the URL MUST be present in the SAN of the certificate to be considered valid.
  • Sujai SR
    Sujai SR almost 5 years
    I also have faced the same issue and the issue has been resolved after disableEndpointIdentification but planning to use FQDN as a permanent solution.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to get all members of AD group via LDAP in Java
AD return 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
LDAP query get all groups (nested) of a group
LDAP Searching a user in Active directory with UPN
Java ldap authentication issue
Parse ldap filter to escape special characters
LdapConnection vs. PrincipalContext
"Can't contact LDAP server (-1)" error for LDAPS to Server 2012
What version(s) of SSL/TLS does Active Directory support?
Enabling LDAPS: Cannot get to open port 636