My Android app connects to an LDAP server during normal operation. The initial connection is anonymous, and startTLS with EXTERNAL binding is used to perform authentication as anonymous access is disallowed. UnboundID LDAP SDK is used as the LDAP library.
Recently the EXTERNAL binding has been failing with the error "80090317: The server did not receive any credentials via TLS, data 0, v2580". This is without changes to the app or Android platform, and the server team claims that there are no changes to the server either. I have confirmed that both client and server certs are valid, and that certs were indeed exchanged (by means of HandshakeCompletedListener).
Code
// connect to server - anonymous login, non-SSL
LDAPConnection mConn = new LDAPConnection(address, port, "", "", null)
// start TLS
KeyManager km = (...);
SSLUtil sslUtil = new SSLUtil(km, new TrustAllTrustManager());
StartTLSExtendedRequest req = new StartTLSExtendedRequest(sslUtil.createSSLContext());
mConn.processExtendedRequest(req);
// TLS connection succeeds, proceed with bind
// EXTERNAL bind request with authzId left blank
// It should use the cert supplied during TLS
BindRequest request = new EXTERNALBindRequest("");
mConn.bind(request); // fails here
I have tried the following:
- Starting the initial connection over SSL, presenting the user certificate at the beginning. The server claims that the connection is not bound yet, contrary to Microsoft's Active Directory specs.
- Attempting to manually trace the handshake proved unfruitful - the Android socket code seems non-debuggable through Android Studio, and setting the javax.net.debug options produced no output.
- Packet capture solutions I found would require root as the connection to the server is done over a VPN
The remote server's team may take some time to arrange tests, so in the meantime I would like to hear some ideas on what could be happening here.
This behavior seems to be induced by a bug on Windows Server introduced in May 2023 and fixed in October 2023 update. Causing an issue in which an external bind might fail. This leads to issues with Lightweight Directory Access Protocol (LDAP) queries and authentication.