Ryfujk

Greco-Roman egalitarianism

How to color a curve

Have I saved too much for retirement so far?

Proof of Lemma: Every nonzero integer can be written as a product of primes

Is camera lens focus an exact point or a range?

How much character growth crosses the line into breaking the character

Varistor? Purpose and principle

What is the gram­mat­i­cal term for “‑ed” words like these?

Gibbs free energy in standard state vs. equilibrium

What does this horizontal bar at the first measure mean?

How can Trident be so inexpensive? Will it orbit Triton or just do a (slow) flyby?

Do Legal Documents Require Signing In Standard Pen Colors?

Query about absorption line spectra

Has Darkwing Duck ever met Scrooge McDuck?

What is this type of notehead called?

Sampling Theorem and reconstruction

How should I respond when I lied about my education and the company finds out through background check?

Can the Supreme Court overturn an impeachment?

Will adding a BY-SA image to a blog post make the entire post BY-SA?

What linear sensor for a keyboard?

Greatest common substring

Is XSS in canonical link possible?

Create all possible words using a set or letters

A social experiment. What is the worst that can happen?

Active Directory LDAPS and Java 181 LDAPS Verification

What Sun Web or App Server config can cause “Due to a temporary error the request could not be serviced”Binding to LDAPS using PHP failingwso2 Governance Registry Active Directory integration unable to find valid certification path to requested targetfreeipa ssl ldap and round robin dnsActive Directory: Server 2008 and RHEL 5.10ActiveDirectory LDAPS third-party certificate and internal namesUsing a third-party certificate with Active Directory without certificate requestJRE fails to establish LDAPS connection with AD after RootCA cert imported to cacerts truststoreActive Directory LDAPS client certificate authenticationLDAPS Microsoft Active Directory Multiple Certificates RFC6125

1

Java 8u181 (Java 8 Update 181) enhances security around LDAPS connections:

Change: Improve LDAP support Endpoint identification has been enabled
on LDAPS connections. To improve the robustness of LDAPS (secure LDAP
over TLS ) connections, endpoint identification algorithms have been
enabled by default. Note that there may be situations where some
applications that were previously able to successfully connect to an
LDAPS server may no longer be able to do so. Such applications may, if
they deem appropriate, disable endpoint identification using a new
system property:
com.sun.jndi.ldap.object.disableEndpointIdentification. Define this
system property (or set it to true) to disable endpoint identification
algorithms. JDK-8200666 (not public)

One of these enhancements seem to be checking that the domain name is on the certificate. However, the default behavior of Active Directory seems to be to only have the name for the AD server that happens to be returned under the many A records of the AD domain name - and it seems rare that clients will support a list of hosts.

I also see this pattern outside of Java (i.e. Go programs will check this now as well see Go 1.10 release notes on Certificate.Verify).

There is a somewhat intimidating technet article on getting names on the cert in a way that will be renewed: https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/

I'm sure I'm not the only one here running into this:

1. Has anyone had success in either adding the name to the cert, or maybe using a load balancer in front of LDAPS for generic non-AD specific LDAP clients?


2. Does anyone know if Microsoft is on this issue in any way that might have changes coming in the future that make "disable verification and wait" a sane tactic?

active-directory ssl ldap java

share|improve this question

edited Sep 7 '18 at 15:34

Kyle Brandt

asked Sep 7 '18 at 15:24

Kyle Brandt♦Kyle Brandt

66.3k61263412

bumped to the homepage by Community♦ 8 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  lol, and also Impacting my Internal Jira instance - noticed as I went to update our Internal Jira ticket on this issue :P
  
  – Kyle Brandt♦
  Sep 7 '18 at 15:27
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hmm... openssl says the cert is notBefore=Sep 6 18:10:18 2018 GMT so it is possible there has been a change and I am conflating things, is the AD domain name usually on the ldaps cert?
  
  – Kyle Brandt♦
  Sep 7 '18 at 15:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've always had multiple SAN's for DC certs, but not for this reason.
  
  – Greg Askew
  Sep 7 '18 at 20:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Also, I believe the reason we have multiple SANs was due to the introduction of the setting "Require strict KDC validation", which is where the client validates the identity of the domain controller/name/correct cert EKU's it is connecting to (in smart card environments at least).
  
  – Greg Askew
  Sep 7 '18 at 22:44
  

  
  
  
  

add a comment | 

1

Java 8u181 (Java 8 Update 181) enhances security around LDAPS connections:

Change: Improve LDAP support Endpoint identification has been enabled
on LDAPS connections. To improve the robustness of LDAPS (secure LDAP
over TLS ) connections, endpoint identification algorithms have been
enabled by default. Note that there may be situations where some
applications that were previously able to successfully connect to an
LDAPS server may no longer be able to do so. Such applications may, if
they deem appropriate, disable endpoint identification using a new
system property:
com.sun.jndi.ldap.object.disableEndpointIdentification. Define this
system property (or set it to true) to disable endpoint identification
algorithms. JDK-8200666 (not public)

One of these enhancements seem to be checking that the domain name is on the certificate. However, the default behavior of Active Directory seems to be to only have the name for the AD server that happens to be returned under the many A records of the AD domain name - and it seems rare that clients will support a list of hosts.

I also see this pattern outside of Java (i.e. Go programs will check this now as well see Go 1.10 release notes on Certificate.Verify).

There is a somewhat intimidating technet article on getting names on the cert in a way that will be renewed: https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/

I'm sure I'm not the only one here running into this:

1. Has anyone had success in either adding the name to the cert, or maybe using a load balancer in front of LDAPS for generic non-AD specific LDAP clients?


2. Does anyone know if Microsoft is on this issue in any way that might have changes coming in the future that make "disable verification and wait" a sane tactic?

active-directory ssl ldap java

share|improve this question

edited Sep 7 '18 at 15:34

Kyle Brandt

asked Sep 7 '18 at 15:24

Kyle Brandt♦Kyle Brandt

66.3k61263412

bumped to the homepage by Community♦ 8 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  lol, and also Impacting my Internal Jira instance - noticed as I went to update our Internal Jira ticket on this issue :P
  
  – Kyle Brandt♦
  Sep 7 '18 at 15:27
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hmm... openssl says the cert is notBefore=Sep 6 18:10:18 2018 GMT so it is possible there has been a change and I am conflating things, is the AD domain name usually on the ldaps cert?
  
  – Kyle Brandt♦
  Sep 7 '18 at 15:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've always had multiple SAN's for DC certs, but not for this reason.
  
  – Greg Askew
  Sep 7 '18 at 20:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Also, I believe the reason we have multiple SANs was due to the introduction of the setting "Require strict KDC validation", which is where the client validates the identity of the domain controller/name/correct cert EKU's it is connecting to (in smart card environments at least).
  
  – Greg Askew
  Sep 7 '18 at 22:44
  

  
  
  
  

add a comment | 

Java 8u181 (Java 8 Update 181) enhances security around LDAPS connections:

Change: Improve LDAP support Endpoint identification has been enabled
on LDAPS connections. To improve the robustness of LDAPS (secure LDAP
over TLS ) connections, endpoint identification algorithms have been
enabled by default. Note that there may be situations where some
applications that were previously able to successfully connect to an
LDAPS server may no longer be able to do so. Such applications may, if
they deem appropriate, disable endpoint identification using a new
system property:
com.sun.jndi.ldap.object.disableEndpointIdentification. Define this
system property (or set it to true) to disable endpoint identification
algorithms. JDK-8200666 (not public)

One of these enhancements seem to be checking that the domain name is on the certificate. However, the default behavior of Active Directory seems to be to only have the name for the AD server that happens to be returned under the many A records of the AD domain name - and it seems rare that clients will support a list of hosts.

I also see this pattern outside of Java (i.e. Go programs will check this now as well see Go 1.10 release notes on Certificate.Verify).

There is a somewhat intimidating technet article on getting names on the cert in a way that will be renewed: https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/

I'm sure I'm not the only one here running into this:

1. Has anyone had success in either adding the name to the cert, or maybe using a load balancer in front of LDAPS for generic non-AD specific LDAP clients?


2. Does anyone know if Microsoft is on this issue in any way that might have changes coming in the future that make "disable verification and wait" a sane tactic?

active-directory ssl ldap java

share|improve this question

edited Sep 7 '18 at 15:34

Kyle Brandt

asked Sep 7 '18 at 15:24

Kyle Brandt♦Kyle Brandt

66.3k61263412

share|improve this question

edited Sep 7 '18 at 15:34

Kyle Brandt

asked Sep 7 '18 at 15:24

Kyle Brandt♦Kyle Brandt

66.3k61263412

share|improve this question

edited Sep 7 '18 at 15:34

Kyle Brandt

asked Sep 7 '18 at 15:24

Kyle Brandt♦Kyle Brandt

66.3k61263412

asked Sep 7 '18 at 15:24

Kyle Brandt♦Kyle Brandt

66.3k61263412

asked Sep 7 '18 at 15:24

Kyle Brandt♦Kyle Brandt

66.3k61263412

1 Answer
1

active

oldest

votes

0

We hit the same issue and there are few solutions to fix this.

Root cause: It would only NOT work when you use the pool hostname.

• Fix 1: Include -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to your application JAVA_OPTS and restart the tomcat/application server. This is to avoid strict end point verification.




• Fix 2: Use the exact host name (FQDN) mentioned in LDAPS presentation certificate.

Know your LDAPS server FQDN: openssl s_client -connect [LDAPS server IP/DNS]:636. Try to connect LDAPS server using IP/DNS. It displays the exact FQDN in CN= attribute. Use that FQDN to configure LDAPS server.

• Fix 3: Import the LDAPS presentation certificate (not the root or intermediate) in the application server.

share|improve this answer

edited Oct 22 '18 at 21:56

Cory Knutson

1,711719

answered Oct 22 '18 at 18:18

YLRYLR

92

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Disabling validation is NOT a "fix"! There are a surprising amount of historical errors relating to this area in Java, but from 1.8.181 it seems to be relatively sensible. The caveat is that (like most modern browsers) the hostname from the URL MUST be present in the SAN of the certificate to be considered valid.
  
  – symcbean
  Feb 1 at 13:20
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f929930%2factive-directory-ldaps-and-java-181-ldaps-verification%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

We hit the same issue and there are few solutions to fix this.

Root cause: It would only NOT work when you use the pool hostname.

• Fix 1: Include -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to your application JAVA_OPTS and restart the tomcat/application server. This is to avoid strict end point verification.




• Fix 2: Use the exact host name (FQDN) mentioned in LDAPS presentation certificate.

Know your LDAPS server FQDN: openssl s_client -connect [LDAPS server IP/DNS]:636. Try to connect LDAPS server using IP/DNS. It displays the exact FQDN in CN= attribute. Use that FQDN to configure LDAPS server.

• Fix 3: Import the LDAPS presentation certificate (not the root or intermediate) in the application server.

share|improve this answer

edited Oct 22 '18 at 21:56

Cory Knutson

1,711719

answered Oct 22 '18 at 18:18

YLRYLR

92

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Disabling validation is NOT a "fix"! There are a surprising amount of historical errors relating to this area in Java, but from 1.8.181 it seems to be relatively sensible. The caveat is that (like most modern browsers) the hostname from the URL MUST be present in the SAN of the certificate to be considered valid.
  
  – symcbean
  Feb 1 at 13:20
  

  
  
  
  

add a comment | 

0

We hit the same issue and there are few solutions to fix this.

Root cause: It would only NOT work when you use the pool hostname.

• Fix 1: Include -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to your application JAVA_OPTS and restart the tomcat/application server. This is to avoid strict end point verification.




• Fix 2: Use the exact host name (FQDN) mentioned in LDAPS presentation certificate.

Know your LDAPS server FQDN: openssl s_client -connect [LDAPS server IP/DNS]:636. Try to connect LDAPS server using IP/DNS. It displays the exact FQDN in CN= attribute. Use that FQDN to configure LDAPS server.

• Fix 3: Import the LDAPS presentation certificate (not the root or intermediate) in the application server.

share|improve this answer

edited Oct 22 '18 at 21:56

Cory Knutson

1,711719

answered Oct 22 '18 at 18:18

YLRYLR

92

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Disabling validation is NOT a "fix"! There are a surprising amount of historical errors relating to this area in Java, but from 1.8.181 it seems to be relatively sensible. The caveat is that (like most modern browsers) the hostname from the URL MUST be present in the SAN of the certificate to be considered valid.
  
  – symcbean
  Feb 1 at 13:20
  

  
  
  
  

add a comment | 

We hit the same issue and there are few solutions to fix this.

Root cause: It would only NOT work when you use the pool hostname.

• Fix 1: Include -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to your application JAVA_OPTS and restart the tomcat/application server. This is to avoid strict end point verification.




• Fix 2: Use the exact host name (FQDN) mentioned in LDAPS presentation certificate.

Know your LDAPS server FQDN: openssl s_client -connect [LDAPS server IP/DNS]:636. Try to connect LDAPS server using IP/DNS. It displays the exact FQDN in CN= attribute. Use that FQDN to configure LDAPS server.

• Fix 3: Import the LDAPS presentation certificate (not the root or intermediate) in the application server.

share|improve this answer

edited Oct 22 '18 at 21:56

Cory Knutson

1,711719

answered Oct 22 '18 at 18:18

YLRYLR

92

share|improve this answer

edited Oct 22 '18 at 21:56

Cory Knutson

1,711719

answered Oct 22 '18 at 18:18

YLRYLR

92

edited Oct 22 '18 at 21:56

Cory Knutson

1,711719

edited Oct 22 '18 at 21:56

Cory Knutson

1,711719

answered Oct 22 '18 at 18:18

YLRYLR

92

answered Oct 22 '18 at 18:18

YLRYLR

92