Subject: Authentication issue to ActiveDirectory
Author: bill_comer
In response to: When and Why DIGEST-MD5 Authentication Does Not Work?
Posted on: 09/29/2008 10:09:48 AM
Hi there,
I am struggling to authenticate to an AD 2003 LDAP. I am using acegi 1.0.3 and spring 1.2.7
I have various tests that allow me to perform things like userSearch but authentication fails. Any clues please.
My simplest test fails at the line:
LdapUserDetailsImpl.Essence userEssence = (LdapUserDetailsImpl.Essence) template.retrieveEntry(userDn,
userDetailsMapper, null);
with the Exception:
org.acegisecurity.BadCredentialsException: Bad credentials; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
public void testFromJava() throws NamingException
{
String user = "user1";
String password = "secret";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,
"ldap://ut-ad-01:389/DC=Testusers,DC=foo,DC=co,DC=uk");
env.put(Context.SECURITY_AUTHENTICATION,
"DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, user);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put("com.sun.jndi.ldap.trace.ber", System.err);
DirContext ctx = new InitialDirContext(env);
String userDn = "DC=" + user + ",DC=Testusers,DC=foo,DC=co,DC=uk";
LdapUserDetailsMapper userDetailsMapper = new LdapUserDetailsMapper();
LdapTemplate template = new LdapTemplate(initialDirContextFactory, userDn, password);
LdapUserDetailsImpl.Essence userEssence = (LdapUserDetailsImpl.Essence) template.retrieveEntry(userDn,
userDetailsMapper, null);
ctx.close();
}
the bean for my initialDirContextFactory is:
<bean id="initialDirContextFactory"
parent="utilisoftActiveDirectoryDirContextFactory">
</bean>
<bean id="utilisoftActiveDirectoryDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg
value="ldap://ut-ad-01:389/DC=formfill,DC=co,DC=uk" />
<property name="managerDn">
<value>admin</value>
</property>
<property name="managerPassword">
<value>g0ldf1sh</value>
</property>
<property name="authenticationType">
<value>DIGEST-MD5</value>
</property>
</bean>
>
> On 08/02/2008 06:48:32 PM
SteveHB wrote:
Your DIGEST-MD5 type 3 message explicitly indicates "The digest-uri does not match any LDAP SPN's registered for this server."
So, the problem is that, unlike Kerberos protocol, DIGEST-MD5 is *NOT* capable for cross domain/realm authetication. In that sense, the requested digest-uri: ldap/mfadldap.nnnnnn.edu must match your server's SPN, but your server is registered within realm: mfad.mfroot.org.
Let me know if you have any further problem after resetting your server's SPN.
Good Luck,
Steve
References:
