[31620] in Kerberos
RE: SASL binding with SSL encryption
daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Tue Oct 27 21:59:07 2009
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Ryan Lynch <ryan.b.lynch@gmail.com>
Date: Wed, 28 Oct 2009 09:55:36 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172F0F1E6D7F@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <115906d10910270813u222f3f86kfe19050446d66ea7@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> -----Original Message-----
> From: Ryan Lynch [mailto:ryan.b.lynch@gmail.com]
> Sent: Tuesday, October 27, 2009 11:14 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerberos@mit.edu
> Subject: Re: SASL binding with SSL encryption
>
> A suggestion, from my past experiences: Have you confirmed
> that your "ping-pong" results are always coming from the same
> AD domain controller? If not, try tracing the packet traffic,
> or just increasing your client-side debug verbosity. If the
> success vs. failure results can be correlated to different
> DCs, this may be a configuration issue on one of your DCs.
I have tried sasl binding with ssl encryption (unsuccessfully) against two different ADs. One in Windows 2003 Server, and the other is in Windows 2000 Server. This 2003 server and 2000 server are different domain controllers. In contrast, when the same thing is done against AD in Windows 2008 Server (patched with hotfix http://support.microsoft.com/kb/957072), it works perfectly.
Therefore, I guess the problem is due to some bug in Windows 2000/2003 Server. By the way, tracing network packets is quite hard for sasl binding with ssl encryption, coz all the packets are encrypted, not plain LDAP ones.
Thanks,
Xu Qiang
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
