LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

Question

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

I know "52e" code is when username is valid, but password is invalid. I am using the same user name and password in my apache studio, I was able to establish the connection succesfully to LDAP.

Here is my java code

    String userName = "*******";
    String password = "********";
    String base ="DC=PSLTESTDOMAIN,DC=LOCAL";
    String dn = "cn=" + userName + "," + base;  
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://******");
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, dn);
    env.put(Context.SECURITY_CREDENTIALS, password);
    LDAPAuthenticationService ldap = new LDAPAuthenticationService();
   // LdapContext ctx;
    DirContext ctx = null;
    try {
        ctx = new InitialDirContext(env);

My error is on this line: ctx = new InitialDirContext(env);

I do not know what exactly is causing this error.

score 41 · Answer 1 · answered Jul 15 '15 at 13:50

41

data 52e - Returns when username is valid but password/credential is invalid.

You probably need something like

String dn = "cn=" + userName + "," + "CN=Users," + base;

answered Jul 15 '15 at 13:50

jwilleke

10,467
1
30
51

1

You should check out a better way to find users: https://bitbucket.org/jwilleke/examples/src/dba1d74d172f9a3f13fc375f6d17370b6da91adf/Examples-JNDI/src/com/willeke/samples/ldap/jndi/BasicAdminSearchBind.java?at=master – jwilleke Jul 15 '15 at 13:56

score 36 · Answer 2 · answered Nov 09 '16 at 15:45

36

For me the issue resolved when I set the principal section like this:

env.put(Context.SECURITY_PRINCIPAL, userId@domainWithoutProtocolAndPortNo);

answered Nov 09 '16 at 15:45

Vishal

1,963
2
20
23

@sbmc7 You set this in the environment HashTable that you pass while instantiating javax.naming.ldap.InitialLdapContext i.e., context = new InitialLdapContext(env, null); Where env is a HashTable. – Vishal Mar 27 '17 at 21:43
Thanks for posting, tried all different combinations of CN, OU and DC I could think of, but this method is the only one that works for me! I used userID@DC1.DC2 – emily Mar 27 '18 at 20:52
yes, @Vishal, this worked for me too. I was scouring the internet was unlucky until I came across your answer. I really appreciate this. thanks – Artanis Zeratul Jul 31 '18 at 22:26
Worked for me as well. Can you please provide us with more explanation on why does it work? – user613114 Feb 07 '22 at 15:43

score 18 · Answer 3 · edited Aug 16 '23 at 19:11

18

52e 1326 ERROR_LOGON_FAILURE Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

https://ldapwiki.com/wiki/Wiki.jsp?page=Common%20Active%20Directory%20Bind%20Errors

edited Aug 16 '23 at 19:11

OzgurH

443
2
13

answered Apr 01 '16 at 08:58

brcaak

181
1
3

score 17 · Answer 4 · edited Dec 19 '19 at 11:51

17

In my case I have to use something like <username>@<domain> to successfully login.

sample_user@sample_domain

edited Dec 19 '19 at 11:51

smonff

3,399
3
36
46

answered Sep 24 '18 at 07:50

Linh Nguyen

221
2
8

score 14 · Answer 5 · answered Oct 09 '18 at 16:19

14

When you use Context.SECURITY_AUTHENTICATION as "simple", you need to supply the userPrincipalName attribute value (user@domain_base).

answered Oct 09 '18 at 16:19

MAW

923
8
23

Count · Answer 6 · 2017-08-14T05:20:49.773

7

I had a similar issue when using AD on CAS , i.e. 52e error, In my case application accepts the Full Name when in the form of CN= instead of the actual username.

For example, if you had a user who's full name is Ross Butler and their login username is rbutler --you would normally put something like, cn=rbutler,ou=Users,dc=domain,dc=com but ours failed everytime. By changing this to cn=Ross Butler,ou=Users,dc=domain,dc=com it passed!!

edited Aug 14 '17 at 05:20

answered Jun 23 '17 at 05:46

Count

1,395
2
19
40

One way to visualize the syntax AD expects, is to use the 'Attribute Editor' tab, as explained in [this question](https://serverfault.com/questions/399000/active-directory-viewing-attribute-editor-after-finding-an-account-via-aducs). If you scroll down to 'cn', you may find an answer. – simonpa71 Nov 17 '20 at 19:13

score 3 · Answer 7 · answered Nov 23 '18 at 07:14

For me the issue is resolved by adding domain name in user name as follow:

string userName="yourUserName";
string password="passowrd";
string hostName="LdapServerHostName";
string domain="yourDomain";
System.DirectoryServices.AuthenticationTypes option = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer; 
string userNameWithDomain = string.Format("{0}@{1}",userName , domain);
DirectoryEntry directoryOU = new DirectoryEntry("LDAP://" + hostName, userNameWithDomain, password, option);

score 2 · Answer 8 · answered Jul 05 '19 at 03:34

2

if you debug and loook at ctx=null,maybe your username hava proble ,you shoud write like "ac\administrator"(double "\") or "administrator@ac"

answered Jul 05 '19 at 03:34

HaoSi

21
1

score 2 · Answer 9 · answered Feb 24 '21 at 14:02

2

For me the cause of the issue was that the format of username was incorrect. It was earlierly specified as "mydomain\user". I removed the domain part and the error was gone.

PS I was using ServerBind authentication.

answered Feb 24 '21 at 14:02

arslanahmad656

39
4

you are really right. I removed domain name. it worked for me thx great – Kumaresan Perumal Jul 19 '22 at 09:51

score 2 · Answer 10 · answered Jan 27 '22 at 15:57

I've tested three diferent approaches and them all worked:

env.put(Context.SECURITY_PRINCIPAL, "user");
env.put(Context.SECURITY_PRINCIPAL, "user@domain.com");
env.put(Context.SECURITY_PRINCIPAL, "CN=user,OU=one,OU=two,DC=domain,DC=com");

If you use the last one, don't forget to set all the OU's where the user belongs to. Otherwise it won't work.

score 1 · Answer 11 · answered Apr 13 '17 at 20:40

LDAP is trying to authenticate with AD when sending a transaction to another server DB. This authentication fails because the user has recently changed her password, although this transaction was generated using the previous credentials. This authentication will keep failing until ... unless you change the transaction status to Complete or Cancel in which case LDAP will stop sending these transactions.

score 1 · Answer 12 · answered Aug 28 '19 at 07:52

1

For me issue is resolved by changing envs like this:

 env.put("LDAP_BASEDN", base)
 env.put(Context.SECURITY_PRINCIPAL,"user@domain")

answered Aug 28 '19 at 07:52

user3917389

11
1

3

Welcome to SO! Please explain your solution a bit and edit your question accordingly. For more hints, see https://stackoverflow.com/help/how-to-ask – B--rian Aug 28 '19 at 08:14

score 1 · Answer 13 · answered Feb 07 '20 at 11:35

Using domain Name may solve the problem (get domain name using powershell: $env:userdomain):

    Hashtable<String, Object> env = new Hashtable<String, Object>();
    String principalName = "domainName\\userName";
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://URL:389/OU=ou-xx,DC=fr,DC=XXXXXX,DC=com");
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, principalName);
    env.put(Context.SECURITY_CREDENTIALS, "Your Password");

    try {
        DirContext authContext = new InitialDirContext(env);
        // user is authenticated
        System.out.println("USER IS AUTHETICATED");
    } catch (AuthenticationException ex) {
        // Authentication failed
        System.out.println("AUTH FAILED : " + ex);

    } catch (NamingException ex) {
        ex.printStackTrace();
    }

I think some LDAP expects domain. If we pass only username, the server won't accept. — Praveen Gopal, Jun 24 '20 at 12:40

score 0 · Answer 14 · answered May 12 '22 at 13:50

In my case I misconfigured email credentials then I corrected

var passport = require('passport'),
    WindowsStrategy = require('passport-windowsauth'),
    User = require('mongoose').model('User');

module.exports = function () {
    passport.use(new WindowsStrategy({ldap: {
        url:            'ldap://corp.company.com:389/DC=corp,DC=company,DC=com',
        base:           'DC=corp,DC=company,DC=com',
        bindDN:         'myid@corp.company.com',
        bindCredentials:'password',
        tlsOptions: {
            ca: [fs.readFileSync("./cert.pem")],
          },
    }, integrated: false},
    function(profile, done) {
        console.log('Windows');
        console.log(profile);
        User.findOrCreate({
            username: profile.id
        }, function(err, user) {
            if (err) {
                return done(err);
            }

            if (!user) {
                return done(null, false, {
                    message: 'Unknown user'
                });
            }

            if (!user.authenticate(password)) {
                return done(null, false, {
                    message: 'Invalid password'
                });
            }

            return done(null, user);
        });
    }));
};

score -1 · Answer 15 · answered Jul 19 '22 at 10:13

Please remove domain from the username "mydomain\user". please put "user" only. do not put domain and backslash .

You do not use ldaps://examplehost:8080(do not use s with ldaps coz cert is required), use ldap://examplehost:8080 then use non-TLS port number. it worked for me.

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

15 Answers15

Linked

Related