Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error 'invalidCredentials' when attempting SASL+DIGEST_MD5 auth #1102

Open
maretodoric opened this issue Oct 11, 2023 · 5 comments
Open

Error 'invalidCredentials' when attempting SASL+DIGEST_MD5 auth #1102

maretodoric opened this issue Oct 11, 2023 · 5 comments

Comments

@maretodoric
Copy link

Hello everyone,

as the title states, I'm having issues attempting to bind to Windows Active Directory using SASL+DIGEST_MD5.

I'm using following code:

from ldap3 import Server, Connection, ALL, SASL, DIGEST_MD5
user_dn = 'cn=Name Lastname,OU=O365SyncUsers,OU=Users,OU=DOMAIN,DC=domain,DC=com'
sasl_credentials = (None, user_dn, 'password', None, 'sign')
server = Server('1.2.3.4', use_ssl=False, get_info=ALL)
conn = Connection(server, auto_bind = False, version = 3, authentication = SASL, sasl_mechanism = DIGEST_MD5, sasl_credentials = sasl_credentials)
conn.bind()
conn.result
{'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0905D2, comment: AcceptSecurityContext error, data 52e, v4563\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}

I've attempted multiple variations on how to login but i get the same description ('invalidCredentials') and sometimes different message.
Here are different results according to various sasl_credentials variable:

sasl_credentials result
(None, user_dn, 'password', None, 'sign') {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0905D2, comment: AcceptSecurityContext error, data 52e, v4563\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
(None, 'name.lastname@domain.com', 'password', None, 'sign') {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0905D2, comment: AcceptSecurityContext error, data 52e, v4563\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
(None, 'DOMAIN\name.lastname', 'password', None, 'sign') {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '8009030C: LdapErr: DSID-0C0905D2, comment: AcceptSecurityContext error, data 52e, v4563\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
( 'domain', 'name.lastname', 'password', None, 'sign') {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': "80090303: LdapErr: DSID-0C0905A6, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v4563\x00", 'referrals': None, 'saslCreds': b'rspauth=45c0a15877b28e1d86d2cba517f76f67', 'type': 'bindResponse'}
( 'domain.com', 'name.lastname', 'password', None, 'sign') {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': "80090303: LdapErr: DSID-0C0905A6, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v4563\x00", 'referrals': None, 'saslCreds': b'rspauth=45c0a15877b28e1d86d2cba517f76f67', 'type': 'bindResponse'}
( 'OU=O365SyncUsers,OU=Users,OU=DOMAIN,DC=domain,DC=com', 'name.lastname@domain.com', 'password', None, 'sign') {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': "80090303: LdapErr: DSID-0C0905A6, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v4563\x00", 'referrals': None, 'saslCreds': b'rspauth=45c0a15877b28e1d86d2cba517f76f67', 'type': 'bindResponse'}
( 'OU=O365SyncUsers,OU=Users,OU=DOMAIN,DC=domain,DC=com', 'name.lastname', 'password', None, 'sign') {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': "80090303: LdapErr: DSID-0C0905A6, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v4563\x00", 'referrals': None, 'saslCreds': b'rspauth=45c0a15877b28e1d86d2cba517f76f67', 'type': 'bindResponse'}

The credentials are ok, we are signing in using 'first_name.last_name@domain.com' and password is correct to because when i try simple bind it works.
The problem I'm stuck on wanting to use SASL+DIGEST_MD5 is that i cannot change password in AD without it (as it seems or as according to few issues previously raised here).

This is Windows 2019 Server hosted on AWS (AWS Directory Service) and functional level is that of Windows 2012 (if this info means anything)
@ThePirateWhoSmellsOfSunflowers
Copy link
Contributor

Hi!

Use (None, SamAccountName, password, None, 'sign'), but the most important thing is to use the fqdn of the Active Directory because the name is part of the protocole, so:

server = Server('1.2.3.4', use_ssl=False, get_info=ALL) -> server = Server('dc01.domain.com', use_ssl=False, get_info=ALL)

🌻

@maretodoric
Copy link
Author

maretodoric commented Oct 11, 2023
edited
Loading

Thanks @ThePirateWhoSmellsOfSunflowers that appears to have worked.
But original issue that led to me wanting to use SASL+DIGEST_MD5 is still there. I'm unable to change user password.

I tried using following commands:

conn.extend.microsoft.modify_password('cn=Test User,OU=O365SyncUsers,OU=Users,OU=DOMAIN,DC=domain,DC=com', password)

and

ldap3.extend.microsoft.modifyPassword.ad_modify_password(conn, 'cn=Test User,OU=O365SyncUsers,OU=Users,OU=DOMAIN,DC=domain,DC=com', password, None)

Both of which are giving me error message:

{'result': 53, 'description': 'unwillingToPerform', 'dn': '', 'message': '0000001F: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0\n\x00', 'referrals': None, 'type': 'modifyResponse'}

Same as when logged in via basic auth. Any idea ?

@ThePirateWhoSmellsOfSunflowers
Copy link
Contributor

Yes, you cannot change a password without TLS. If your AD implements LDAPS, use it, if not, you can use #1042 and change (None, SamAccountName, password, None, 'sign') to (None, SamAccountName, password, None, 'ENCRYPT').

@maretodoric
Copy link
Author

Now we're talking!
Thanks a lot @ThePirateWhoSmellsOfSunflowers

@oniek
Copy link

oniek commented Apr 8, 2024

Hi all - lil bump

right now I have the same situation and nothing helps - always INVALID CREDETIALS for SASL+DIGEST_MD5 auth
we have standalone physical Windows Server 2022 Standard

I tried several kinds of login SamAccountName, SamAccountName@fqdn, dn etc. even setting use_ssl=False and get_info=ALL in Server doesn't help

ldap_user = "USER1@domain.com"
ldap_password = "passwordldapuser1"
server = Server(host = "domain.com", use_ssl=False, get_info=ALL)
c = Connection(server, auto_bind = True, version = 3, authentication = SASL, sasl_mechanism = DIGEST_MD5, sasl_credentials = (None, ldap_user, ldap_password, None, 'sign'))

print(c.bind())

also tested with client_strategy = "SYNC" or "SAFE_SYNC"

what is wrong with that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oniek @ThePirateWhoSmellsOfSunflowers @maretodoric