Hi there
I am attempting to authenticate users in a particular customer's Active Directory 2003 installation. I say particular, because under normal circumstances the code works perfectly, except in this particular customer environment it does not.
The kereberos authentication occurs normally. The system is correctly authenticates with the Kereberos KDC inside AD. The problem is that we are getting the following error when retrieving the LDAP attributes from the LDAP server inside AD:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 56, vece^
This happens when I attempt to create a DirContext ctx object as follows:
DirContext ctx = new InitialDirContext(env);
According to Microsoft, error 56 refers to an unknown authentication error. I have no idea why this is happening. Do you have any ideas on what might be the cause? Is there a preferred way to debug an unknown AD LDAP authentication error?
The following exception is thrown.
ERROR Jan/23 14:37:09 - error occured while retrieving LDAP attributes during user login. Cause:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 56, vece^@]
Other information: The machine is running on an entirely different network to the DC network. In the fact the machine is running at an ISP site, but has TCP/IP connectivity to the DC. Both ports 88 and 389 are open. Would this be causing the error? Any ideas on how to fix this?
Your suggestions are much appreciated.
Much appreciate
Jamie
private ArrayList<AttributeValue> getLDAPAttributes(Hashtable<String,String> env, String filter) {
String ldapAddress = identity.getLDAPAddress();
if (!ldapAddress.toLowerCase(Locale.ENGLISH).startsWith("ldap://"))
ldapAddress = "ldap://" + ldapAddress;
ArrayList<AttributeValue> attributeValues = new ArrayList<AttributeValue>();
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
//Create the search controls
/* specify search constraints to search subtree */
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attributearraytype = new String[ADIdentity.ATTRIBUTES.size()];
//constraints.setReturningAttributes((String[])ADIdentity.ATTRIBUTES.toArray(attributearraytype));
// look for user with sAMAccountName set to the username
NamingEnumeration results = null;
logger.debug("search for ldap attributes {domain='"+convertDomainToDN(domain)+"',filter='"+filter+"'}");
//NamingEnumeration results2 = null;
try {
results =ctx.search(convertDomainToDN(domain),filter, constraints);
} catch (javax.naming.PartialResultException pre) {}
while (results != null && results.hasMore()) {
SearchResult si = (SearchResult)results.next();
/* print its name */
logger.debug("retrieving LDAP attributes {name='"+si.getName()+"'}");
Attributes attrs = si.getAttributes();
if (attrs == null) {
logger.debug("no attributes found");
} else {
/* print each attribute */
for (NamingEnumeration ae = attrs.getAll(); ae.hasMoreElements();) {
Attribute attr = (Attribute)ae.next();
String attrId = attr.getID();
/* print each value */
for (Enumeration vals = attr.getAll();vals.hasMoreElements();) {
String value = (String)vals.nextElement().toString();
logger.debug("LDAP attribute: "+ attrId + " = " + value);
attributeValues.add(new AttributeValue(attrId,value));
}
}
}
}
ctx.close();
} catch (javax.naming.PartialResultException pre) {
} catch (Exception e) {
logger.error("error occured while retrieving LDAP attributes during user login. Cause:",e);
}
return attributeValues;
}
}
DEBUG Jan/23 14:37:08 - authenticate: active directory authentication enabled
DEBUG Jan/23 14:37:08 - authenticating user to web console using active directory {username='testaccount@thefuelgroup.com'}
DEBUG Jan/23 14:37:09 - retrieving attributes from LDAP using Kereberos token {ldapAddress='ldap://test.company.com:389', domain='DC=COMPANY,DC=COM', filter='(&(sAMAccountName=testaccount)(objectClass=user))'
ERROR Jan/23 14:37:09 - error occured while retrieving LDAP attributes during user login. Cause:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 56, vece^@]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)