Open Bug 1781743 Opened 3 years ago Updated 8 months ago

make ldap work with gssapi with channel binding token requirements

Categories

(MailNews Core :: LDAP Integration, enhancement)

Product:
MailNews Core
Component:
LDAP Integration
Version:
Thunderbird 102
Platform:
Desktop
Windows 10
Type:
enhancement

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: anton.adamenko, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0

Steps to reproduce:

Active Directory on Windows 2019
LDAPS enabled and work
Enable security policy: LDAP server channel binding token requirements

Actual results:

address book, not looking for contacts.
on DC have event:

An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000035B
Sub Status: 0x0

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

thunderbird error console:
mailnews.ldap: C: [1] BindRequest LDAPClient.jsm:266:18
mailnews.ldap: S: [1] BindResponse resultCode=49 message="80090346: LdapErr: DSID-0C090597, comment: AcceptSecurityContext error, data 80090346, v4563"

OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop
Component: Untriaged → Security

Thanks for reporting, does it work before? Do you remember the version number that worked?

(In reply to Ping Chen (:rnons) from comment #1)

Thanks for reporting, does it work before? Do you remember the version number that worked?

just now enabled this option.
testing on 38 and 102 version client.
another service which use kerberos and LDAPS works fine.

Did 38 work?

https://social.technet.microsoft.com/Forums/ie/en-US/c98f3569-072a-4677-9b89-635ed2b8dffc/ldap-error-code-49-8009030c-ldaperr-dsid0c0903a9-comment-acceptsecuritycontext-error-data?forum=winserverDS

Any special chars in the username/password?

Component: Security → LDAP Integration
Product: Thunderbird → MailNews Core

This looks like a feature request. According to https://ldapwiki.com/wiki/Channel%20Binding, Channel Binding was defined in RFC5056.

See Also: → 563276, 1179722

Thanks Anton for your ticket and @rnons and @mkmelin for your comments! :)

I specify that Channel Binding is a little part of SCRAM-SHA-*-PLUS variant too.

SCRAM-SHA-1 and SCRAM-SHA-256 already work for XMPP since a moment:

But badly, not yet for LDAP, SMTP, IMAP and POP :/

It is linked to:

Type: defect → enhancement
Summary: gssapi with channel binding token requirements → make ldap work with gssapi with channel binding token requirements
You need to log in before you can comment on or make changes to this bug.