Acceptsecuritycontext error data 775 v2580

Problem

JIRA integrated with Active Directory stops authenticating users after a while. The following appears in the atlassian-jira.log:

2017-03-30 13:25:13,161 scheduler_Worker-9 INFO [atlassian.crowd.directory.DbCachingRemoteDirectory] synchronisation for directory [ 3964929 ] starting
2017-03-30 13:25:13,163 scheduler_Worker-9 INFO [atlassian.crowd.directory.DbCachingRemoteDirectory] failed synchronisation complete for directory [ 3964929 ] in [ 2ms ]
2017-03-30 13:25:13,171 scheduler_Worker-9 ERROR [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 3964929 ].
com.atlassian.crowd.exception.OperationFailedException: Error looking up attributes for highestCommittedUSN
	at com.atlassian.crowd.directory.MicrosoftActiveDirectory.fetchHighestCommittedUSN(MicrosoftActiveDirectory.java:847)
	at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseChanges(UsnChangedCacheRefresher.java:80)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:993)
        ...
Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 775, v2580 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 775, v2580 ]
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:182)
	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
	at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
        ...
	... 20 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 775, v2580 ]
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
        ....
	... 30 more

Confluence integrated with Active Directory stops authenticating and User directory Synchronization getting failed and following logs in the atlassian-confluence.log:

2020-10-27 14:08:44,183 ERROR [Caesium-1-3] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 57835521 ].
com.atlassian.crowd.exception.OperationFailedException: No highestCommittedUSN attribute found for AD root
	at com.atlassian.crowd.directory.MicrosoftActiveDirectory.fetchHighestCommittedUSN(MicrosoftActiveDirectory.java:700)
	at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:148)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:978)
	at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:67)

Cause

Active Directory Clustering is not supported by Crowd or Embedded Crowd. See 

CWD-2783
—
Getting issue details…
STATUS

.

Resolution 1

Resolution 2

Just change the Active User directory to switch from «Microsoft Active Directory» to «Generic Directory Server» and click on synchronize

Last updated on: March 10th, 2021

vScope supports both Discovery of and integration with the Active Directory. If something goes wrong you will be prompted with an error message that can give you a hint of the cause to the issue.

The error messages might look something like this:

INVALID_CREDENTIALS: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

INVALID_CREDENTIALS: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 775, v1db1

Here is a list of common error codes that might show up:

Further reading

You can read more about integrating vScope with Active Directory on this Knowledge Base post.

Источник

client cannot connect to server nor bind #271

node v0.12.2
Ubuntu 14.04.2 LTS

var ldap = require(‘ldapjs’);

var client = ldap.createClient( <
url : ‘ldap://reg.corp.domain.com/:111’
>);

client.bind(‘userid@domain.com’, ‘password’, function (err) <
if (err)
console.log(err);
else <
console.log(‘binded’);
>
>);

The text was updated successfully, but these errors were encountered:

The error indicates that you were able, in fact, to connect to the remote server. You should check the credentials used and ensure the server allows simple binding.

I have done it in PHP and we also did it in python. Sorry my first time with nodejs.

If simple binding does not work then, is there any other way to do? Can you help me show simple code?

First I would suggest using the full DN of the user you’re binding with (instead of user@domain).

@pfmooney : For all PHP’s warts, I have yet to find a language that has better LDAP support.

In PHP, it is possible to bind using the user@domain string, which is actually necessary in certain cases. For example, if your LDAP server requires a login before searching, then you can’t just query the DN of the user who’s trying to login (unless you have a service account with a non-expiring that logins in beforehand).

In PHP’s implementation, this is possible, so it should certainly be possible here. Do you know what is needed? I am not familiar with the LDAP protocol, but would be willing to submit a PR if I can wrap my head around it.

@avindra Binding with user@domain is supported with ldapjs provided that the server to which you are connecting will accept that for authentication. Some require a full DN while others enable clients to use non-standard representations.

@pfmooney: user@domain works in the PHP implementation, but thanks to this comment on issue 33, I was able to login.

For reference, that’s logging in with domainuser , which works fine 👍

I am stuck at a point I cannot have an answer from anyone but you.

Let’s say we have two LDAP domains (hosted on two different servers): A and B
My user account is on domain A. If I query AD using my personal credentials, everything works like a charm (e-g Username: “hasan@A.com”, Password: “abdcdef”). I can query any user on my domain
However, with same credentials, when I try try to query domain B, I get the following error:
ERROR:

It makes sense why domain B would not authenticate a user from domain A BUT if I try to query domain B using powershell with same credentials, it works. Powershell runs under the security context of currently logged-in user too:

get-aduser username -server B.com

I am clueless why we cannot query across multiple domains to get user’s AD attributes whereas it works through powershell.

@hasanbaloch Please try posting some example code and maybe create a new issue that isn’t already closed.

© 2023 GitHub, Inc.

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Источник

LDAP Bug: [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C090400 #2490

[14:58:26] hello everyone. I am getting this erro:
[14:58:30] Error
[14:58:31] [ERROR] InvalidCredentialsError: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1
[14:59:19] can someone check this and tell me if I did something wrong? : https://paste.ee/p/uuUDb
[14:59:33] The credentials are correct
[15:26:09] This is the error in my syslog: https://paste.ee/p/mJdtL

The text was updated successfully, but these errors were encountered:

The only thing is that 52e points to

Returned when a valid username is supplied but an invalid password/credential is supplied. If this error is received, it will prevent most other errors from being displayed.

got the same error although the credentials are 100% correct and verified.
some fields are duplicated.

which one is the correct password field?

You see current values with sudo snap get wekan | less

You see setting names with wekan.help | less

Unfortunately it’s possible to mistype setting name.

@xet7 thx for the fast response, the issue was the field ldap-user-authentication, you have to set this to false so it takes the defined credentials.

What LDAP server you use? I would think different LDAP servers have different settings.

Should default be true?

@xet7 we use Microsoft Active Directory on Windows Server 2012. The default is false, i thought this field means something else.
wekan.help provided the necessary documentation to find it out 🙂

So does Wekan work now? Is this issue fixed?

@xet7 my issue is fixed, Wekan works wonderful.

got the same error although the credentials are 100% correct and verified.
some fields are duplicated.

which one is the correct password field?

how to check ldap info inside wekan ? i mean how you get this list?
thanks

Hello,
I accessed the container by using
docker exec -it wekan-app bash
so where to use your mentioned command
wekan.help | less bash: wekan.help: command not found bash: less: command not found
thanks

look like,the error was because of double quotes (maybe signal quotes too) was the reason behind.
@xet7 @road42 @Dayflare

Can you add as comment your working config, anonymized?

Can you add as comment your working config, anonymized?

Hello, Actually i make change at docker-compose file.

I had the same issue.
Actually the defaults in the docker-compose.yml are missleading.
The quotes around

# The search user DN — You need quotes when you have spaces in parameters # 2 examples: LDAP_AUTHENTIFICATION_USERDN=»CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com»

are wrong — at least for me. I removed the quotes, although I had a space in the CN and it worked immediately.

I had the same issue.
Actually the defaults in the docker-compose.yml are missleading.
The quotes around

# The search user DN — You need quotes when you have spaces in parameters # 2 examples: LDAP_AUTHENTIFICATION_USERDN=»CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com»

are wrong — at least for me. I removed the quotes, although I had a space in the CN and it worked immediately.

Removing the quotes worked for me as well, thx!

Looks like we’re having a similar issue.

We had a user with an LDAP account that he wasn’t fond of, so we set him up with a new one — however he’d already logged into WeKan using BOTH the new and the old LDAP accounts. When we DELETED the old LDAP account, we see like. these little «ghost» members where his old account used to be as a member of the board.

Doesn’t seem to hurt anything, but we cannot seem to get that little ghost thing out of there, and I thought you might want to know that. 😛

Источник

OTRS.ru

Русскоязычное сообщество OTRS Helpdesk и OTRS ITSM

• Темы без ответов
• Активные темы
• Поиск
• Наша команда

Ошибки авторизации в AD

Модератор: ykolesnikov

Сообщение justbox » 16 окт 2012, 23:55

Re: Ошибки авторизации в AD

Сообщение justbox » 16 окт 2012, 23:55

Мне нужна АД авторизация только для клиентов, агенты будут статичны.Где я допустил ошибки ?

Заранее благодарен за помощь.

Ubuntu Server
OTRS 3.1.3

Сообщение justbox » 17 окт 2012, 11:01

Сообщение justbox » 19 окт 2012, 14:21

Сообщение ykolesnikov » 19 окт 2012, 14:37

Сообщение justbox » 19 окт 2012, 17:54

Сообщение justbox » 19 окт 2012, 17:56

Сообщение justbox » 22 окт 2012, 16:05

Добавил строки , добавил агентов в группу безопасности OTRS_Agents , авторизация не проходит =( что я не так делаю , кустомеров через ад пускает.

Сообщение Romano » 22 окт 2012, 18:23

В этом поле я указывал ‘ OU=DIT,OU=Domain Users,DC=domen,DC=local‘ — т.е. разрешил заходить в юзерский интерфейс всем участникам АУшки ДИТ — это коллеги моего ИТ департамента.

А вообще то, как я считаю, самым простым и правильным вариантом было бы указать ‘ DC=domen,DC=local‘ или, например ‘ OU=Domain Users,DC=domen,DC=local‘ — чтобы логинится могли все юзеры, которые заведены в домене(если такой вариант устраивает). И получается, что не надо создавать никакой доп группы в АДшке и добавлять в неё юзерей. Вообщем все зависит от ваших требований.

Источник

AD LDAP Configuration #44

Excellent looking plugin, however I am running into an error in the configuration. I’ve got it configured as follows:

I get the following error on Kibana startup:

I’m not well versed in the language but it looks like it isn’t happy with the path setting in config.json? I have not made any modifications to the users.json file as I’m unsure of what exactly its supposed to contain. I’ve currently got MFA set to disable as I just want to verify LDAP authentication is up and running.

The text was updated successfully, but these errors were encountered:

In JSON ‘#’ is not used to comment out a line, default is to not support comments in JSON files.
I know there is an extension that allows ‘//’ to be used for comments, but it’s not enabled.

Please remove ‘#’ from this:

If you use LDAP the users.json is used to store the two-factor secret when MFA is enabled.
If you don’t have MFA enabled, users.json is not used. It will be updated the first time
an user sets up their shared secret.

Thanks for submitting an issue.

Please update to 1.2.1 if you want to use LDAP and 2FA at the same time.

Just fixed an issue with the key setup.

Looks like removing the commented line resolved that particular issue. However, there appears to be another issue, though I’m unsure of whether its my config or the plugin. When starting Kibana, I get the following error:

Researching the error, specifically data 52e , indicates that I have an invalid password. I’ve verified I am using the correct password for the account and event reset the account password to the value I am using. The only entry in Kibana.log is

Maybe I am misunderstanding the config settings.

• Admin — The LDAP account that will be performing the query?
• Admin DN is in the form of ‘cn=useraccount,ou=ou1,dc=domain’?
• Admin Password is the admin DN account secret in plaintext?
• Search User-DN — This is user or ou containing users authorized to login? Using the same syntax as admin DN?
• Search Group-DN — This is a group authorized to login? Using the same syntax as admin DN?

Yes — except one thing, you don’t need to be in the «group dn» to be allowed to login, it will be used in the future to manage access to spaces/dashboards.

How is your password stored in the AD server? Hash algorithm?

I only tested it with a plaintext password. I’m going to do another test tomorrow.

What kind of AD server are you running? The plug-in is tested with Apache DS.

I’ve seen the warning too, should not affect the plug-in

Right I understood the difference on the memberships. This is on Microsoft Active Directory, I assume the password is stored as a hash but I am under the assumption that the LDAP query automatically performs the hashing operation.

I had already tested with plaintext and SHA256, it’s working as expected.

I tested setting the dn of the admin config to «cn=username,ou=system» and it didn’t work, nor with «sn=role,ou=system».

For some reason it’s only able to authenticate when i set it to «uid=username,ou=system». In the other cases it fails to authenticate because it cannot find the user entry.

Could you try with uid instead of cn? if you have it on your user entry. do you need dc and both level1 and level2? I don’t think using cn for the admin account is right, as it’s not guaranteed to be unique.

If you can’t get it working still, I’ll try and setup Microsoft Active Directory.

I have tried it using uid=accountname,ou=containingou,dc=domain,dc=tld for the admin dn with the secret in plaintext, still get the same error. I also tried using just uid=accountname and came up with the same error.

thanks alot for the info, I’ll try and reproduce it as soon as possible.

I’ve setup windows server 2019 with AD/LDAP in a hyper-v.

• using ldp.exe I am able to connect and bind with the admin username.
• using Apache Directory Studio I am able to connect but not bind.

LDAP: Error code 49, LdapErr: DSID-0c09041C comment: AcceptSecurityContext, data 52e, v4563.

Looks like the same error.

While testing this I realized that 52e is a wildly misleading error code, it’s defined as ‘invalid credentials’. But it appears if the bind DN is not 100% correct.

To figure out the correct bind DN I used Apache Directory Studio

1. set up a connection
2. test the connection
3. set up authentication
4. choose simple authentication
5. enter the USERNAME only and not a BIND DN, for me it was ‘ROOTAdministrator’ where ROOT is my domain name.
6. enter the bind password and check the authentication.
7. if authentication works: find the user in the tree
8. right click the principal and click «copy DN».
9. this gave me «CN=Administrator,CN=Users,DC=root,DC=io»
10. Set up a new connection and use the BIND DN to authenticate = worked.

I guess the problem I had was specifying the group with OU=Users instead of CN=Users. There seems to be a difference there with the AD server I was using before.

Success. with a caveat.

1. Open ADUC (Active Directory Users and Computers)
2. Find authenticating user.
3. Right-click user object>Select Attribute Editor Tab (If not visible, in main ADUC window select View>Advanced Features)
4. Copy dn attribute
5. Paste dn from AD into config.json.
   Here’s the caveat, if the dn has a in the name, an error is thrown. FATAL SyntaxError: Unexpected token , in JSON at position 607 . For example, my account DN is CN=LastName, FirstName,OU=org,DC=test,DC=net . The workaround for this was to simply remove the and I was able to log in.

The only other issue I have now is I can’t add users or authenticate with any user account except the default usernamepassword . In the config.json file under search, I did omitted the group-dn setting and configured the user-dn to be dc=test,dc=net . When I go into the Mithril section in Kibana, all I see is the below image. I assumed the two dn settings under search worked as follows:

user-dn: specify an OU containing users authorized to login
group-dn: specify a group containing users authorized to login
These settings can be exclusive or in combination to form a desired authentication plan.

Additional Testing

Domain: test.net
Domain Controller: DC1 (192.168.1.1)
Directory Structure

• test.net
  • Org
    • Groups
      • KibanaAccess (Group Object)
    • Svc Accounts
      • Auth, LDAP (User Object) — Username: svc_ldap
    • Users
      • User, Test (User Object) — Username: testuser

Mithril LDAP Account DN CN=Auth, LDAP,OU=svc accounts,OU=org,DC=test,DC=net
Kibana User DN CN=User, Test,CN=users,OU=org,DC=test,DC=net
Test User Group Membership CN=KibanaAccess,OU=Groups,OU=org,DC=test,DC=net

Источник

So, I needed to switch from Windows authentication to LDAP authentication, and our company has set up its own certificate authority trusted root certificates, and I’ve found the LDAP setup documentation doesn’t cover this very well, so I’m posting my findings here for everyone else.

The docs are here:

https://enterprise.arcgis.com/en/server/latest/administer/linux/configuring-a-highly-available-ldap-…

So, I had to actually go through with support and try a lot of variations to the parameters to get this right.  The error it was giving at first was «simple bind failed: <servername>:636», when I provided a secure LDAPS://servername:636/ou=….. link.

This was because I needed to import the trusted root certificate authority, which I tried to do in the ArcGIS/admin page, under machines/machinename/sslcertificates, but the error persisted.  So… it turns out the jvm’s have their own keystore, and here are all of the other steps you may need to follow to get your secure ldap working with ArcGIS server, in excruciatingly overdetailed glory.

Also one other note: if you get an error more like this, your password or userid is wrong:

LDAP: error code 49 — 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580

If you get an error like this, your OU values are probably wrong, skip to step 3A to see how to find what they should be:

[LDAP: error code 49 — 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]

1: Import the certificates into the background jvm keystore as follows (rather than importing through the url:6443/arcgis/admin web page):

• browse to <installroot>arcgisserverframeworkruntimejrelibsecurity
• copy the cacerts file to cacerts.bak (just in case).
• Also back up your arcgissserverconfig-store folder.
• From a command prompt, run the following commands adjusted for your install location, and location you placed the .cer file(s) for each of your new trusted root authority certificates:
  • <installroot>ArcGISServerframeworkruntimejrebinkeytool -import -keystore <installroot>arcgisserverframeworkruntimejrelibsecuritycacerts -trustcacerts -alias «certificatename» -file «<trusted root certs folder>certificatename.cer»
  • Note the default arcgis jre keystore pass is “changeit”

2: Restart ArcGIS Server Windows service.

3: go to https://<machinename>:6443/arcgis/admin and log in as the local arcgis admin account, then browse to Home => security => config => testIdentityStore, and test the following LDAP configs for “Connection Successful!” message, after adjusting for your password and your mechid, and all of the OU / DC values to match those of your own company. If you don’t know them, see step 3A below to find out how to get them.

                User Store Configuration:

{

«type»: «LDAP»,

«properties»: {

   «isPasswordEncrypted»: «false»,

   «adminUserPassword»: «<password>»,

   «adminUser»: «CN=<your userid>,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com»,

   «ldapURLForUsers»: «ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com»,

   «usernameAttribute»: «cn»,

   «caseSensitive»: «false»,

   «userSearchAttribute»: «samaccountname»

}

}

Role Store Configuration:

{

«type»: «LDAP»,

«properties»: {

   «ldapURLForRoles»: «ldaps://ldapserver.it.esri.com:636/ou=roles,dc=redmond,dc=esri,dc=com»,

   «isPasswordEncrypted»: «false»,

   «adminUserPassword»: «<password>»,

   «memberAttributeInRoles»: «uniquemember»,

   «adminUser»: «CN=<your userid>,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com»,

   «ldapURLForUsers»: «ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com»,

   «rolenameAttribute»: «cn»,

   «usernameAttribute»: «cn»

}

}

3A: If you do not know your baseDN and OU values… Install the Windows RSAT application tools package with DSQUERY command from Microsoft, then go to control panel => programs (and features) => add windows feature, “Remote Server Administration Tools” and enable the Role Administration Tools and all subitems there. Note that in my examples, I totally made up “userid”, “esriusers”, and “redmond” as values, as these will always vary by your own company’s domain setup. Make sure you run the DSQuery tool to get the right values YOU should be using.

Go to command prompt and run this command, with the quotes: dsquery user -name “<username>”

Result will look like: “CN=<username>,OU=someparam,OU=maybe-a-secondparam,DC=domain1,DC=domain2,DC=domain3-typically-just-com”

So something like: “CN=abc1234,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com” would go into your JSON config value like this:

   «adminUser»: «CN=abc1234,OU=userids,OU= esriusers,DC=redmond,DC=esri,DC=com”,

Take the resulting value and use it in the adminUser attribute in the json code in step 3. Paste the portion after the CN=<username>, starting with the first OU=, and paste that into the ldapURL parameter. Following the example above, this would go in your JSON config value:

   «ldapURLForUsers»: «ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com”,

These values may not be needed based on your company’s LDAP settings, so try without them first… samaccountname is the standard value for windows active-directory setups.

   «caseSensitive»: «false»,

   «userSearchAttribute»: «samaccountname»

The ldapURLForRoles OU value of “roles” may indicate success in the test page, but it works with anything and is not apparently truly tested, so also use the command “dsquery ou” to see a list of all OUs in your company and find the one that looks like ou=groups or ou=roles.

4: If those functioned, you can browse back to the “config” level in the arcgis/admin page, and use the updateIdentityStore link to change the identity store config to use the adjusted configs you just tested.

Hope that helps someone!