locked
Return value 0x31 from ldap_bind_s with LDAP_AUTH_DIGEST RRS feed

  • Question

  • I am writing an LDAP client.

    When I do an ldap_bind_s with LDAP_AUTH_SIMPLE as follows it succeeds.

        ldapRetCd = ldap_bind_s(ldapSession,
          TEXT("Administrator"),
          TEXT("password"),
          LDAP_AUTH_SIMPLE);
    
    

    However, I would prefer to use LDAP_AUTH_DIGEST for the obvious sorts of reasons. However when I run the following code it fails with a 0x31:

        TCHAR identUserid[] = TEXT("Administrator");
        TCHAR identDomain[] = TEXT("mydomain.com");
        TCHAR identPassword[] = TEXT("password");
    
        SEC_WINNT_AUTH_IDENTITY winIdent = {(unsigned short __RPC_FAR*)identUserid, // user
          elementsof(identUserid)-1,         // user id length
          (unsigned short __RPC_FAR*)identDomain,   // domain or workgroup
          elementsof(identDomain)-1,         // domain name length
          (unsigned short __RPC_FAR*)identPassword,  // password
          elementsof(identPassword)-1,        // password length
          SEC_WINNT_AUTH_IDENTITY_UNICODE};      // flags
    
        ldapRetCd = ldap_bind_s(ldapSession,
          NULL,
          (TCHAR *)&winIdent,
          LDAP_AUTH_DIGEST);
    
    

    Notes:

    UNICODE is in effect.

    elementsof(a) is defined as sizeof(a) / sizeof(a[0])

    The winIdent struct "looks right" in the debugger.

    myDomain.com is what the LDAP server shows as its domain in My Computer\Properties. (The client is on Workgroup MSHOME if that matters.)

    Client is XP Pro; LDAP Server is Windows 2003 Server.

    Everything else is the same between the LDAP_AUTH_SIMPLE that works and the LDAP_AUTH_DIGEST that fails.

    I don't really know what to look for. Help is appreciated.


    Charles
    Monday, March 14, 2011 6:54 PM

Answers

  • Well, I just read that Digest-MD5 is like the must-have for an LDAP server v3 be considered v3.  So I guess Active Directory supports it.  The question would be:  Is it enabled?  Because by default, Active Directory uses the much better Kerberos authentication.  It would not surprise me one bit if AD did not accept any other form of authentication out of the box.  Check with a MCSE or the network administrator to find out if Digest-MD5 is enabled/supported.

    And I'm sorry, but I don't know much about LDAP or LDAP clients.  I cannot recommend one.  The LDAP I use allows anonymous access (Critical Path) or if I use AD, I connect using Kerberos.


    MCP
    • Marked as answer by tsrCharles Monday, March 21, 2011 11:50 PM
    Monday, March 21, 2011 5:53 AM
  • Hi.  Just read a bit more.  Found this:  http://www.seapine.com/kb/questions/1626/Seapine+License+Server+Cannot+Query+Active+Directory+Servers+Using+DIGEST-MD5+Password+Encryption.

     

    It seems that the Digest-MD5 protocol requires that the password of the user account being used be stored in reversible encryption.  I know for a fact that by default, Active Directory user accounts do NOT store the password in a reversible manner.  So yes, you are most likely getting error 0x31 because the user account's password is not stored in reversible encryption mode.


    MCP
    • Marked as answer by tsrCharles Monday, March 21, 2011 11:50 PM
    Monday, March 21, 2011 6:04 AM

All replies

  • Error 0x31 is Invalid Credential.  Do you know for a fact that this LDAP server accepts digest authentication?  And do you know for a fact that the username and password you are trying to use work under this authentication mode?  I would look for an LDAP client out there and I would test connecting to LDAP using this 3rd party tool and Digest authentication.  If it works then great, but if it doesn't you'll stop banging your head for nothing.
    MCP
    Saturday, March 19, 2011 6:03 PM
  • @webJose, thanks! I'm new to LDAP and it never occurred to me that my server might not support Digest authentication. I'm using the Softerra LDAP Browser v2.6 as a test client and it appears that *it* does not support Digest authentication, so that's not a viable approach. Would you care to suggest a readily available client that does?

    My test LDAP server is Win 2003 Server AD. For some reason I had the *impression* that it supported digest authentication. How would I determine definitively?


    Charles
    Sunday, March 20, 2011 7:57 PM
  • Well, I just read that Digest-MD5 is like the must-have for an LDAP server v3 be considered v3.  So I guess Active Directory supports it.  The question would be:  Is it enabled?  Because by default, Active Directory uses the much better Kerberos authentication.  It would not surprise me one bit if AD did not accept any other form of authentication out of the box.  Check with a MCSE or the network administrator to find out if Digest-MD5 is enabled/supported.

    And I'm sorry, but I don't know much about LDAP or LDAP clients.  I cannot recommend one.  The LDAP I use allows anonymous access (Critical Path) or if I use AD, I connect using Kerberos.


    MCP
    • Marked as answer by tsrCharles Monday, March 21, 2011 11:50 PM
    Monday, March 21, 2011 5:53 AM
  • Hi.  Just read a bit more.  Found this:  http://www.seapine.com/kb/questions/1626/Seapine+License+Server+Cannot+Query+Active+Directory+Servers+Using+DIGEST-MD5+Password+Encryption.

     

    It seems that the Digest-MD5 protocol requires that the password of the user account being used be stored in reversible encryption.  I know for a fact that by default, Active Directory user accounts do NOT store the password in a reversible manner.  So yes, you are most likely getting error 0x31 because the user account's password is not stored in reversible encryption mode.


    MCP
    • Marked as answer by tsrCharles Monday, March 21, 2011 11:50 PM
    Monday, March 21, 2011 6:04 AM
  • Thanks. Sorry to be slow to reply. For some reason MSDN has stopped notifying me of replies. No, not a spam filter issue.
    Charles
    Monday, March 21, 2011 11:50 PM