LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
AuthenticationLdapAuthentication Problem Overview
> LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
I know "52e" code is when username is valid, but password is invalid. I am using the same user name and password in my apache studio, I was able to establish the connection succesfully to LDAP.
Here is my java code
String userName = "*******";
String password = "********";
String base ="DC=PSLTESTDOMAIN,DC=LOCAL";
String dn = "cn=" + userName + "," + base;
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://******");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, password);
LDAPAuthenticationService ldap = new LDAPAuthenticationService();
// LdapContext ctx;
DirContext ctx = null;
try {
ctx = new InitialDirContext(env);
My error is on this line: ctx = new InitialDirContext(env);
I do not know what exactly is causing this error.
Authentication Solutions
Solution 1 - Authentication
data 52e - Returns when username is valid but password/credential is invalid.
You probably need something like
String dn = "cn=" + userName + "," + "CN=Users," + base;
Solution 2 - Authentication
For me the issue resolved when I set the principal section like this:
env.put(Context.SECURITY_PRINCIPAL, userId@domainWithoutProtocolAndPortNo);
Solution 3 - Authentication
52e 1326 ERROR_LOGON_FAILURE
Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
http://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
Solution 4 - Authentication
In my case I have to use something like <username>@<domain>
to successfully login.
sample_user@sample_domain
Solution 5 - Authentication
When you use Context.SECURITY_AUTHENTICATION as "simple", you need to supply the userPrincipalName attribute value (user@domain_base).
Solution 6 - Authentication
I had a similar issue when using AD on CAS , i.e. 52e error, In my case application accepts the Full Name when in the form of CN=
For example, if you had a user who's full name is Ross Butler and their login username is rbutler --you would normally put something like, cn=rbutler,ou=Users,dc=domain,dc=com but ours failed everytime. By changing this to cn=Ross Butler,ou=Users,dc=domain,dc=com it passed!!
Solution 7 - Authentication
For me the issue is resolved by adding domain name in user name as follow:
string userName="yourUserName";
string password="passowrd";
string hostName="LdapServerHostName";
string domain="yourDomain";
System.DirectoryServices.AuthenticationTypes option = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
string userNameWithDomain = string.Format("{0}@{1}",userName , domain);
DirectoryEntry directoryOU = new DirectoryEntry("LDAP://" + hostName, userNameWithDomain, password, option);
Solution 8 - Authentication
if you debug and loook at ctx=null,maybe your username hava proble ,you shoud write like "ac\administrator"(double "") or "administrator@ac"
Solution 9 - Authentication
LDAP is trying to authenticate with AD when sending a transaction to another server DB. This authentication fails because the user has recently changed her password, although this transaction was generated using the previous credentials. This authentication will keep failing until ... unless you change the transaction status to Complete or Cancel in which case LDAP will stop sending these transactions.
Solution 10 - Authentication
For me issue is resolved by changing envs like this:
env.put("LDAP_BASEDN", base)
env.put(Context.SECURITY_PRINCIPAL,"user@domain")
Solution 11 - Authentication
Using domain Name may solve the problem (get domain name using powershell: $env:userdomain):
Hashtable<String, Object> env = new Hashtable<String, Object>();
String principalName = "domainName\\userName";
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://URL:389/OU=ou-xx,DC=fr,DC=XXXXXX,DC=com");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principalName);
env.put(Context.SECURITY_CREDENTIALS, "Your Password");
try {
DirContext authContext = new InitialDirContext(env);
// user is authenticated
System.out.println("USER IS AUTHETICATED");
} catch (AuthenticationException ex) {
// Authentication failed
System.out.println("AUTH FAILED : " + ex);
} catch (NamingException ex) {
ex.printStackTrace();
}
Solution 12 - Authentication
For me the cause of the issue was that the format of username was incorrect. It was earlierly specified as "mydomain\user". I removed the domain part and the error was gone.
PS I was using ServerBind authentication.
Solution 13 - Authentication
I've tested three diferent approaches and them all worked:
env.put(Context.SECURITY_PRINCIPAL, "user");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_PRINCIPAL, "CN=user,OU=one,OU=two,DC=domain,DC=com");
If you use the last one, don't forget to set all the OU's where the user belongs to. Otherwise it won't work.
Solution 14 - Authentication
In my case I misconfigured email credentials then I corrected
var passport = require('passport'),
WindowsStrategy = require('passport-windowsauth'),
User = require('mongoose').model('User');
module.exports = function () {
passport.use(new WindowsStrategy({ldap: {
url: 'ldap://corp.company.com:389/DC=corp,DC=company,DC=com',
base: 'DC=corp,DC=company,DC=com',
bindDN: '[email protected]',
bindCredentials:'password',
tlsOptions: {
ca: [fs.readFileSync("./cert.pem")],
},
}, integrated: false},
function(profile, done) {
console.log('Windows');
console.log(profile);
User.findOrCreate({
username: profile.id
}, function(err, user) {
if (err) {
return done(err);
}
if (!user) {
return done(null, false, {
message: 'Unknown user'
});
}
if (!user.authenticate(password)) {
return done(null, false, {
message: 'Invalid password'
});
}
return done(null, user);
});
}));
};