File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Spring Active Directory Authentication

 
James Daniel
Ranch Hand
Posts: 80
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have been trying (and trying) to get a Spring application to authenticate against an AD LDAP server. I keep getting "Bad credentials" exception. When I use the same username/password in a LDAP tool, it works without issue. I am using Spring Security 3.1.2 and there isn't much to configuration. Does anyone have any ideas? I just want to see it authenticate and work from there. I can't even get that to happen. Help..


<authentication-manager>
<authentication-provider ref="activeDirectoryAuthenticationProvider"/>
</authentication-manager>

<beans:bean id="activeDirectoryAuthenticationProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="my.domain.com" />
<beans:constructor-arg value="ldap://my.domain:389" />
<beans:property name="convertSubErrorCodesToExceptions" value="true"/>
</beans:bean>
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please UseCodeTags.

You are probably going to need a little more information to figure out what is happening. I would set your logger levels for org.springframework.security to DEBUG and you should get a better picture of what exactly you are missing.
 
Mike Solano
Greenhorn
Posts: 3
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi James,

Did you ever discover what your issue was? I'm having the exact same problem with pretty much the same setup.

I know it's hitting AD because if I use a non-existent username, I get:

DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Processing authentication request for user: batman
DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Authentication for batman@domain.net failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
INFO org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Active Directory authentication failed: User was not found in directory
DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

If I use an incorrect password, I get:

DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Processing authentication request for user: msolano
DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Authentication for msolano@domain.net failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
INFO org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Active Directory authentication failed: Supplied password was invalid
DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials


However, with the correct username and password, I only get a message saying Ignoring PartialResultException (which I think is ok) and the BadCredentialsException.

DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Processing authentication request for user: msolano
DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN ', base = dc=domain,dc=net, filter = (&(objectClass=user)(userPrincipalName={0}))
INFO org.springframework.security.ldap.SpringSecurityLdapTemplate - Ignoring PartialResultException
DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

I appreciate any feedback you or anyone else may have. Thank you!

-Mike
 
Mike Solano
Greenhorn
Posts: 3
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe the problem I'm seeing may be a bug in ActiveDirectoryLdapAuthenticationProvider. I found the following forum post on the spring forums:

http://forum.springsource.org/showthread.php?134991-Active-Directory-authentication-in-Spring-3-1

And I created a JIRA issue for it here since one didn't seem to exist:

https://jira.springsource.org/browse/SEC-2224
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch Mike and thanks for posting back with what you have found!
 
Mike Solano
Greenhorn
Posts: 3
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Bill! Long time lurker, first time caller

I'll update again when/if I see any traction on the JIRA issue.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic