i get this error code:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece ]
And i have no idea why...
One month ago, the code worked fine. Nothing has changed (this means...the customer says, nothing has changed...)
The user is valid and active, the password is not expired. The certificate is also valid.
I tried the CN name and the lala@lala.de name.
What else can i check?
When a customer says "nothing has changed" , assume they're lying.
The user name in your application is not valid.
Here is a list of Active Directory errors:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
If the user is indeed valid and they can logon interactively, perhaps their userPrinciplaName (alberte@antipodes.com) or samAccountName (ANTIPODES\alberte) have not changed but their distinguished name has changed as a result of a rename or move operation. Eg. From cn=Albert Einstein, ou=Research,dc=antipodes,dc=com to cn=Albert Einstein,OU=Scientists,dc=antipodes,dc=com.
What format of the user logon name are you using in your application ?
Just to add a little more to adler_steven's excellent info (including some of the info adler_steven posted on http://forum.java.sun.com/thread.jspa?forumID=51&threadID=658510), I include below a little more detail I "discovered" after experimenting with a Windows 2000 domain controller.
Common Active Directory LDAP bind errors:
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 - user not found
DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e - invalid credentials
DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0x530 - not permitted to logon at this time
DEC: 1328 - ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0x532 - password expired
DEC: 1330 - ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] - PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0x533 - account disabled
DEC: 1331 - ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] - ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0x701 - account expired
DEC: 1793 - ERROR_ACCOUNT_EXPIRED (The user's account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] - ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0x775 - account locked out
DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] - LOCKOUT
NOTE: Returns even if invalid password is presented.
I found out, that for some users the full user name (like "cn=Albert Einstein,OU=Scientists,dc=antipodes,dc=com")
should be provided, othervise you'll get 525 error message (unknown user).
For some user it works fine with short names...
looks like it is Active Directory configurtation.
It would be great to know what should be changed in Active Directory to get short user names working :))
Nothing is required in Active Directory to get short names to work.
If a short name does not appear to be working, check the user's samAccountName attribute to see if it is the same as what you are using in your code.
It is always possible that the user object was not created by the Active Directory Users & Computer's snap-in, but by another provisioning tool or by another application and the value may not be what you expect.
Also note that with Windows Server 2003, if the user is created but without a value specified for the samAccountName attribute (which btw is a mandatory attribute), then a random name will be generated automagically.
It might also be caused by user rights in AD, without knowing how to set this up in AD I've noticed that my own user does not have the sufficient rights to perform a search in AD, but the bind user we use for our portal/app.server environment have the necessary rights.
I got around this problem by using a tip I found elsewhere on the internet.
Replace the standard DN (eg cn=User Name,OU=Users,dc=richpeople,dc=com) with sAMAccountName@richpeople.com (where sAMAccountName is erm, well, the sAMAccountName for the user).
While connecting to the AD i need to check whether the user exists, if his password id correct or not. In the catch block i am not able to match it against the error message
How to get the exact error message from the Exception?
Hi
i'm trying to connect to an embedded LDAP server on weblogic.I'm just trying to connect to the server and do a directory search using
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(DirContext.PROVIDER_URL,"ldap://localhost:7001");
DirContext dc = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration matchingEntries = dc.search("", "(objectclass=*)",ctls);
I'm able to connect to the embedded LDAP server through the ldap browser but not through the standalone java client code.
I'm getting [LDAP: error code 49 - Invalid Credentials]
Earlier it was connecting but now giving this error.
I am also having the same issue.When the user was created initially it was working fine but when the user is deleted and then created then while I am checking for the SSO process with the ADS 2000 server I am getting the error
hello :
I am from China, I see your blog ,but I don't know about DN info ' cn ,ou ,o,c' mean
Can you tel me? Thank you! my email is: lijianan789@163.com
for example:
//****************Please modify the following three properties accordingly ***********
String ldapHost= "ldap://cliang1.austin.ibm.com:389"; //ldap host + port number
String DN = "cn=user1, ou=Austin,o=ibm,c=us"; // DN to be authenticated
String password = "security"; // DN's password
//*************** End of user information
It is not a good idea to post your e-mail address on a public forum. Spammers might harvest it.
And things should be discussed here not in private correspondance anyway.
Welcome to the forum fly99999. Please don't post in threads that are long dead. When you have a question, start your own topic. Feel free to provide a link to an old post that may be relevant to your problem.
Email this Topic
Edit this Topic
10 Duke Stars rewarded for this thread
