Active IQ Unified Manager Discussions

Problem authenticating against AD

f_duranti
7,980 Views

Hi, I'm doing some tests and I get a problem authenticating users against Active Directory. Using sAMAccountName (the default) the ldap query always fail (user and password are correct).

If i change and use userPrincipalName (but I should put also @domainname after the username) the authentication goes well and work correctly.

Anyone with the same problem or know how to solve it? The AD domain is 2003.

2012-01-20 19:39:13,143 CET ERROR [com.netapp.wfa.ldap.LdapLoginModule] (http-0.0.0.0-80-3) Failed to find user 'fduranti' using LDAP servers:

* ldap://itnaddc01.q8int.com - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

* ldap://itdrsdc01.q8int.com - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

com.netapp.wfa.ldap.LdapException: Failed to find user 'fduranti' using LDAP servers:

* ldap://itnaddc01.q8int.com - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

* ldap://itdrsdc01.q8int.com - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

    at com.netapp.wfa.ldap.LdapWrapper.findUserInLdap(LdapWrapper.java:103)

    at com.netapp.wfa.ldap.LdapLoginModule.validatePassword(LdapLoginModule.java:68)

    at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:249)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)

    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)

    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)

    at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)

    at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)

    at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)

    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:383)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

    at java.lang.Thread.run(Thread.java:619)

2012-01-20 19:39:13,143 CET DEBUG [com.netapp.wfa.ldap.LdapLoginModule] (http-0.0.0.0-80-3) Bad password for username=fduranti

1 ACCEPTED SOLUTION

yakobi
7,980 Views

Hi Francesco,

The behavior of WFA's support for LDAP/AD authentication depends on the value of "user principal name attribute":

  • sAMAccountName - the user is required to provide the DC in addition to the user name as "domain\username".
  • userPrincipalName - in many cases, this means the user is required to provide his email.

WFA doesn't currently allow you to provide default DC/domain-name.

Hope this helps,

M.

View solution in original post

3 REPLIES 3

yakobi
7,981 Views

Hi Francesco,

The behavior of WFA's support for LDAP/AD authentication depends on the value of "user principal name attribute":

  • sAMAccountName - the user is required to provide the DC in addition to the user name as "domain\username".
  • userPrincipalName - in many cases, this means the user is required to provide his email.

WFA doesn't currently allow you to provide default DC/domain-name.

Hope this helps,

M.

f_duranti
7,980 Views

Thanks, tomorrow I'll do some checks (probably the Domain\username) is simpler for our users

Francesco

f_duranti
7,980 Views

It's working correctly, my fault was that in the samaccountname there's only the username so i was not putting "domain\".

Thanks

Francesco

Public