Reputation: 21
LDAP server claims "The server did not receive any credentials via TLS"
My Android app connects to an LDAP server during normal operation. The initial connection is anonymous, and startTLS with EXTERNAL binding is used to perform authentication as anonymous access is disallowed. UnboundID LDAP SDK is used as the LDAP library.
Recently the EXTERNAL binding has been failing with the error "80090317: The server did not receive any credentials via TLS, data 0, v2580". This is without changes to the app or Android platform, and the server team claims that there are no changes to the server either. I have confirmed that both client and server certs are valid, and that certs were indeed exchanged (by means of HandshakeCompletedListener).
Code
// connect to server - anonymous login, non-SSL
LDAPConnection mConn = new LDAPConnection(address, port, "", "", null)
// start TLS
KeyManager km = (...);
SSLUtil sslUtil = new SSLUtil(km, new TrustAllTrustManager());
StartTLSExtendedRequest req = new StartTLSExtendedRequest(sslUtil.createSSLContext());
mConn.processExtendedRequest(req);
// TLS connection succeeds, proceed with bind
// EXTERNAL bind request with authzId left blank
// It should use the cert supplied during TLS
BindRequest request = new EXTERNALBindRequest("");
mConn.bind(request); // fails here
I have tried the following:
- Starting the initial connection over SSL, presenting the user certificate at the beginning. The server claims that the connection is not bound yet, contrary to Microsoft's Active Directory specs.
- Attempting to manually trace the handshake proved unfruitful - the Android socket code seems non-debuggable through Android Studio, and setting the javax.net.debug options produced no output.
- Packet capture solutions I found would require root as the connection to the server is done over a VPN
The remote server's team may take some time to arrange tests, so in the meantime I would like to hear some ideas on what could be happening here.
Upvotes: 2
Views: 194
Answers (1)
Reputation: 140
This behavior seems to be induced by a bug on Windows Server introduced in May 2023 and fixed in October 2023 update. Causing an issue in which an external bind might fail. This leads to issues with Lightweight Directory Access Protocol (LDAP) queries and authentication.
Upvotes: 0
Related Questions
- How to bind to LDAP server with TLS using golang?
- Need help on NTLM signing over LDAP authentication
- How to check if LDAP user account is expired in Java using UnboundID LDAP SDK
- Android studio - Failed to connect to LDAP server
- LDAP Search disconnecting when connecting via SSL to IBM Tivoli Directory
- Bind to Active Directory via SSL using unbound id
- Anonymous Bind using UnboundID LDAP sdk