Acceptsecuritycontext error data 52e v4563

When set the LDAP information , got this error.

500: 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563): ou=TNC Users,dc=TNC,dc=com

Screenshots

EspoCRM version
6.1.7

Additional context
The credentials is worked in another software.

The text was updated successfully, but these errors were encountered:

We tested recently and it worked. Please try to debug. If you find the reason that it’s a problem in Espo please let us know.

I got this error again in LOG:
ERROR: (49) 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563): ou=TNC Users,dc=TNC,dc=com; POST /Settings/action/testLdapConnection; line: 990, file: /opt/lampp/htdocs/vendor/laminas/laminas-ldap/src/Ldap.php [] []

Dear yurikuzn
I can’t solve my problem and i could not find where was it. The other softwares in my local network is worked with this setting.
I’ll be thankful if you guide me.

I’m not competent here. Have never configured LDAP.

Please let me know what LDAP server do you use?

Windows Active Directory Service 2019

Thanks. We will check this.

We have the same problem and get the same error message as farhadlavaei.

EspoCRM version 6.1.9
Windows Server 2019 Datacenter Edition (x64).

Using ldapsearch, our administrator was able to successfully connect to the LDAP server and read groups and members. Therefore, our guess is that something is not right with EspoCRM.

This error was deeply tested and found that it’s not the bug. The problem is related with the wrong Account Canonical Form option. For more details, see https://github.com/espocrm/documentation/blob/master/docs/administration/ldap-authorization.md#troubleshooting.
Please check this and let me know if the solution works for you.

The LDAP connection now works for us, but it had to be set up somewhat differently than described under «Troubleshooting».

In the first step we changed «Account Canonical Form» from «Dn» to «Principal» and at the same time «Full User DN» to «espocrm@domain.zz», as recommended. The other settings remained unchanged. We were then able to successfully set up a test connection to the LDAP server.

However, no user could log in (wrong username/password, error 0x0). We then tried different combinations: After we changed «Username Attribute» to Username «sAMAccountName» and at the same time «Account Canonical Form» from «Principal» to sAMAccountName «Username», a successful login succeeded.

Surprisingly, the test connection continues to work even though «Account Canonical Form» is no longer set to «Principal». We therefore assume that the change of the «Full User DN» was sufficient to enable the connection to the LDAP server.

By the way, the user gets an error at the first login (Server side error 500: User must be fetched before ACL check), but is created in EspoCRM. After the second login, the login works as expected and the user can successfully log in to EspoCRM.

In any case, thanks for the support!

It is great that this solution works for you.

Do you mean that the correct settings for you are:

• Username Attribute is sAMAccountName .
• Account Canonical Form is Username .
  Correct?

I’m sure when the Username Attribute is sAMAccountName , the Account Canonical Form can be Principal or Username .

We will investigate the second error at the first login.

That’s right, I had it mixed up above. We have the following working settings:

Username Attributes is sAMAccountName
Account Canonical Form is Username

By the way, the user gets an error at the first login (Server side error 500: User must be fetched before ACL check), but is created in EspoCRM. After the second login, the login works as expected and the user can successfully log in to EspoCRM.

I can confirm this issue as well on a fresh install of 6.1.9. The user is created from ldap but not logged in. Instead that error is shown. If they simply login again it works fine.

Thanks for your confirmation.
We are investigating this problem.

By the way, the user gets an error at the first login (Server side error 500: User must be fetched before ACL check), but is created in EspoCRM. After the second login, the login works as expected and the user can successfully log in to EspoCRM.

I can confirm this issue as well on a fresh install of 6.1.9. The user is created from ldap but not logged in. Instead that error is shown. If they simply login again it works fine.

Apologies, I realize I didn’t include the error from the log in case it’s useful.

[2021-09-29 16:15:32] ERROR: (500) User must be fetched before ACL check.; GET /App/user; line: 119, file: /var/www/html/application/Espo/Core/Acl/Table.php [] []

The problem for the first time login is fixed in EspoCRM v7.0.0.
Thanks everyone for helping.

© 2023 GitHub, Inc.

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Источник

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

We are developing a LDAP authentication against Active Directory, we met the follow errors, although the username and password are correct.

LDAP: error code 49 — 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

The user detail is: CN=Peter, Lia ,OU=DEV,OU=HK_U,OU=cita,OU=US,DC=achtest,DC=local

As you may saw, the last name of this user has a backslash, plus a space in CN, we guess it may be the problem, since other users don’t have this problem if the last name of users don’t have a backslash and a space.

However we don’t know how we can add a new user to duplicate this issue, since it’s not way to add a new user with space in the end of name, the Active Directory will auto trim the space when system save the new user to database.

My questions are:

1. Do you have this kind of experience? Any idea to resolve?

2. How we can add a new user with a space in the end of last name? and then we can replicate this issue again?

Источник

OTRS.ru

Русскоязычное сообщество OTRS Helpdesk и OTRS ITSM

• Темы без ответов
• Активные темы
• Поиск
• Наша команда

Ошибки авторизации в AD

Модератор: ykolesnikov

Сообщение justbox » 16 окт 2012, 23:55

Re: Ошибки авторизации в AD

Сообщение justbox » 16 окт 2012, 23:55

Мне нужна АД авторизация только для клиентов, агенты будут статичны.Где я допустил ошибки ?

Заранее благодарен за помощь.

Ubuntu Server
OTRS 3.1.3

Сообщение justbox » 17 окт 2012, 11:01

Сообщение justbox » 19 окт 2012, 14:21

Сообщение ykolesnikov » 19 окт 2012, 14:37

Сообщение justbox » 19 окт 2012, 17:54

Сообщение justbox » 19 окт 2012, 17:56

Сообщение justbox » 22 окт 2012, 16:05

Добавил строки , добавил агентов в группу безопасности OTRS_Agents , авторизация не проходит =( что я не так делаю , кустомеров через ад пускает.

Сообщение Romano » 22 окт 2012, 18:23

В этом поле я указывал ‘ OU=DIT,OU=Domain Users,DC=domen,DC=local‘ — т.е. разрешил заходить в юзерский интерфейс всем участникам АУшки ДИТ — это коллеги моего ИТ департамента.

А вообще то, как я считаю, самым простым и правильным вариантом было бы указать ‘ DC=domen,DC=local‘ или, например ‘ OU=Domain Users,DC=domen,DC=local‘ — чтобы логинится могли все юзеры, которые заведены в домене(если такой вариант устраивает). И получается, что не надо создавать никакой доп группы в АДшке и добавлять в неё юзерей. Вообщем все зависит от ваших требований.

Источник

Jira Active Directory sync problems 57

After the latest update ( 8.22.3) I’ve been experiencing problems with LDAP/AD Sync.

I have two LDAP user directories in Jira*, one for «Users», one for «Customers» and both are synced from the same Domain Controller.
The User Directory settings in both have slight difference in OU structure and group memberships but are otherwise identical.
This problem only manifests in the «Customer» directory while «Users» directory sync works flawlessly, and I stress this, with the same service account used in syncing.

Error message from the logs:

2022-06-07 04:58:07,094+0000 Caesium-1-2 ERROR ServiceRunner [c.a.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10100 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 — 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 57, v4563^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 — 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 57, v4563^@]

(data 57 seems to be undocumented/reserved in LDAP wiki.)

This problem persists until I start to fiddle with the User Directory configs, this can take from couple of minutes to couple of hours, mainly changing account used to sync and suddenly it starts working again with the original account.

Problem can occur in Jira while Jira Service Management is unaffected and vice versa.

Problem also reoccurs after a day or two.

Account is and have been active this whole time and is used in the user directory sync without fail.

I’m using the official docker images.

*This problem occurs in both Jira and Jira Service Management Data Center editions (not clustered).

Any ideas what causes this/how can I fix this?

Источник

Last updated on: March 10th, 2021

vScope supports both Discovery of and integration with the Active Directory. If something goes wrong you will be prompted with an error message that can give you a hint of the cause to the issue.

The error messages might look something like this:

INVALID_CREDENTIALS: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

INVALID_CREDENTIALS: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 775, v1db1

Here is a list of common error codes that might show up:

Further reading

You can read more about integrating vScope with Active Directory on this Knowledge Base post.

Источник

The LDAP connection now works for us, but it had to be set up somewhat differently than described under «Troubleshooting».

In the first step we changed «Account Canonical Form» from «Dn» to «Principal» and at the same time «Full User DN» to «espocrm@domain.zz», as recommended. The other settings remained unchanged. We were then able to successfully set up a test connection to the LDAP server.

However, no user could log in (wrong username/password, error 0x0). We then tried different combinations: After we changed «Username Attribute» to Username «sAMAccountName» and at the same time «Account Canonical Form» from «Principal» to sAMAccountName «Username», a successful login succeeded.

Surprisingly, the test connection continues to work even though «Account Canonical Form» is no longer set to «Principal». We therefore assume that the change of the «Full User DN» was sufficient to enable the connection to the LDAP server.

By the way, the user gets an error at the first login (Server side error 500: User must be fetched before ACL check), but is created in EspoCRM. After the second login, the login works as expected and the user can successfully log in to EspoCRM.

In any case, thanks for the support!

Для
бизнеса

• По заинтересованным лицам

• IT-лидеры

• Независимые разработчики ПО

• Архитекторы корпоративных приложений

• По отраслям

• Истории успеха

• По вариантам использования

• Модернизация приложений

• Сокращение расходов на ПО

• Автоматизация внутренних процессов

Description
This article describes what debug log means when ‘fnbamd_ldap_parse_response-Error 49’ is checked and what is the solution to fix it.When the client accesses the LDAP Server via FortiGate , the error messages captured by FortiGate is showing as below, and cannot access to it normally.

fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563)

Solution
In fnbamd debug logs, The error message is founded when tried to log on via the LDAP server.

[584] fnbamd_ldap_build_dn_search_req-base:’DC=itwea,dc=com’ filter:sAMAccountName=xxxxx
[1100] __fnbamd_ldap_dn_entry-Get DN ‘CN=XXX,CN=XXX,DC=XXX,DC=com’
[90] ldap_dn_list_add-added CN=XXX,CN=XXX,DC=XXX,DC=com
[52] ldap_dn_list_del_all-Del CN=XXX,CN=XXX,DC=XXX,DC=com
[2821] fnbamd_ldap_result-Result for ldap svr XXX.XXX.XXX.XXX is SUCCESS[1552] fnbamd_ldap_init-search filter is: sAMAccountName=XXX
[1561] fnbamd_ldap_init-search base is: DC=XXX,dc=com
[584] fnbamd_ldap_build_dn_search_req-base:’DC=XXX,dc=com’ filter:sAMAccountName=XXX
[1100] __fnbamd_ldap_dn_entry-Get DN ‘CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com’
[90] ldap_dn_list_add-added CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com
[429] fnbamd_ldap_build_userbind_req-Trying DN ‘ CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com ‘
[196] __ldap_build_bind_req-Binding to ‘ CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com’
[852] fnbamd_ldap_send-sending 123 bytes to XXX.XXX.XXX.XXX
[864] fnbamd_ldap_send-Request is sent. ID 3
[815] __ldap_rxtx-state 6(User Bind resp)
[895] __fnbamd_ldap_read-Read 8
[895] __fnbamd_ldap_read-Read 102
[1075] fnbamd_ldap_recv-Response len: 104, svr: XXX.XXX.XXX.XXX
[756] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[778] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563)
[791] fnbamd_ldap_parse_response-ret=49
[882] __ldap_rxtx-Change state to ‘User Binding’
[815] __ldap_rxtx-state 5(User Binding)
[425] fnbamd_ldap_build_userbind_req-No more DN left
[737] __ldap_error-
[726] __ldap_stop-svr ‘ad_server’
[52] ldap_dn_list_del_all-Del CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 1824141631
[653] destroy_auth_session-delete session 1824141631

‘Fnbamd_ldap_parse_response-error 49” means Invaild credentials (49)’

LDAP Error Codes, LDAP Error Codes is an Result Code indicating something went wrong.
There are really LDAP Result Codes and a lot of them well Indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49. 49 / 525

In summary, the error is not a problem with FortiGate, but an error message that occurred because the user’s account information registered in LDAP was incorrect.

Reference.
+ Account Information Confirmation Commands.

#dsquery user -name [admin full user name]
#dsquery user -samid [admin login name]
#check the admin password
# diagnose test authserver ldap [server name][user][password]

Problem

Users are unable to log in. Nothing has changed in JIRA side.

The following appears in the atlassian-jira.log:

2017-10-25 14:13:07,009 ERROR [scheduler_Worker-3] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 31064065 ].
com.atlassian.crowd.exception.OperationFailedException: Error looking up attributes for highestCommittedUSN
	at com.atlassian.crowd.directory.MicrosoftActiveDirectory.fetchHighestCommittedUSN(MicrosoftActiveDirectory.java:847)

...

Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]

Cause

LDAP Error 49 data 52e means that the credentials of the user configured to bind LDAP directory with JIRA are incorrect, as described here: https://confluence.atlassian.com/kb/common-user-management-errors-820119309.html#CommonUserManagementErrors-ActiveDirectoryError49

This can happen when that user is either removed or has its password changed from LDAP side.

Resolution 1

Follow the steps outlined at Restore Passwords To Recover Admin User Rights. By doing so, you’ll be able to access the User Directory settings and change the «Username» field with a valid admin user or change the «Password» field with the new password, allowing JIRA to connect to LDAP.

As an alternative to Recovery Mode, you could utilize auth_fallback by following the guide: Bypass SAML authentication for Jira Data Center 

Resolution 2

Alternatively, you can run the following query against your database to find out which one is the admin account that JIRA uses to connect to the LDAP:

SELECT * FROM cwd_directory_attribute WHERE attribute_name = 'ldap.userdn'; 

Note: The query may return multiple results in case you have more than one User Directory in your JIRA instance.

Re-adding the user back to the LDAP with the same password should resolve the issue.

Resolution 3

As JIRA storing LDAP Login credential in the database without encryption, you may also update those LDAP credential in your database:

lDAP Password Field

Select * from cwd_directory_attribute where attribute_name = 'ldap.password'

LDAP User Name Field

SELECT * FROM cwd_directory_attribute WHERE attribute_name = 'ldap.userdn';

 attribute_value is the fields which storing those data.

  Always perform a backup before you perform edit/update query in the database. It is also highly recommended for you to perform this in a test instance before proceeding with production instance.