Authenticating against Active Directory 2016 from Java(web applications)

Question

I have set up a AD 2016 installation. Now intend to use it for authentication of web applications(java). I have a piece of code for testing authentication and have some observations.

public static void main(String[] args) 
{  
    String userid="userhere",password="passwordhere";
    LdapContextCreation ldapContxCrtn = new LdapContextCreation();  
    LdapContext ctx = ldapContxCrtn.getLdapContext(userid,password);
    if(ctx==null)
    {System.out.println("Authentication Failed.");}
    else
    {System.out.println("Authentication Successful.");} 
    }  
    public LdapContext getLdapContext(String base, String password)
    {  
        LdapContext ctx = null;  
        try
    { 
            Hashtable<String, String> env = new Hashtable<String, String>();
            env.put(Context.INITIAL_CONTEXT_FACTORY,  "com.sun.jndi.ldap.LdapCtxFactory");  
            env.put(Context.SECURITY_AUTHENTICATION, "Simple");
            env.put(Context.SECURITY_PRINCIPAL, base);
            env.put(Context.SECURITY_CREDENTIALS, password);
            env.put(Context.PROVIDER_URL, "ldaps://mydomaincontroller:636");
            ctx = new InitialLdapContext(env, null);  
     }
    catch(NamingException nex)
    {  
            //nex.printStackTrace();  
    }

Now I tested the user/password combination in the following scenarios-

//First Combination, user1 exists in AD and password is correct (testing authenticated bind). String userid="user1@domain.com",password="user1password"; Expected:Authentication Successful. Actual:Authentication Successful. This is clear to me. For a incorrect password,it responds correct message- Authentication Failed.

//Second Combination, user2 exists in AD but password we attempt to send is empty (testing unauthenticated bind) String userid="user2@domain.com",password=""; Expected:Authentication Failed. Actual:Authentication Successful. How to handle this scenario- Can I control this in AD or has to be handled in code?

//Third Combination, user3 DOES NOT exists in AD (testing for non existant user) String userid="user3@domain.com",password="somepassword"; Expected:Authentication Failed. Actual:Authentication Successful. How to handle this scenario? The user does-not even exist. Is this a AD misconfiguration?

//Fourth Combination, empty username and password (testing for anonymous bind) String userid="",password=""; Expected:Authentication Failed. Actual:Authentication Successful. How to handle this scenario- Can I control this in AD or has to be handled in code?

Answer 1

What you're seeing is an "unauthenticated bind", detailed in LDAP RFC 4513 section 5.1.2 with a note regarding the subsequent security considerations in section 6.3.1 .

It would be best to handle this in code (ie verify that username and password are both non-null prior to communicating with the directory server). A setting to disallow unauthenticated bind operations was added in Windows 2019 -- in your Configuration partition, open the properties of CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration -- find the msDS-Other-Settings attribute, and add a new entry DenyUnauthenticatedBind=1 but unless you are writing a one-off application that will only ever be used with the Active Directory you own, it's not a secure assumption that other Active Directories have been configured in this manner.