
Reputation: 599

Spring security authentication using active directory failed

I've been working on a spring web application project in our company. It used to authenticate users using database, but recently we decided to use our active directory server as a means of authentication party. So, we changed the spring-security.xml to the code below:

<http auto-config="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
        <intercept-url pattern="/Content/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/Desktop/New_Them/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/App/Index" access="ROLE_USER" />
        <intercept-url pattern="/App/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/rest/clc/ClcLogPhon/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/**" access="ROLE_USER" />
        <custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
        <logout logout-success-url="/App/Login" />
        <remember-me key="myAppKey" />
        <csrf />
            <xss-protection />
<beans:bean id="contextSource"
            value="ldap://,DC=org" />
        <beans:property name="userDn"
            value="CN=myUsername,CN=Users,DC=myDomain,DC=org" />
        <beans:property name="password" value="myPassword" />

    <beans:bean id="ldapAuthProvider"
                <beans:constructor-arg ref="contextSource" />
                <beans:property name="userDnPatterns">
                <beans:constructor-arg ref="contextSource" />
                <beans:constructor-arg value="ou=groups" />
                <beans:property name="groupRoleAttribute" value="ou" />

        <authentication-provider ref="ldapAuthProvider"/>

And the web application starts up well. But when I want to login with users which declared before in the active directory, the error below is occurred:

DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using
DEBUG LdapAuthenticationProvider - Processing authentication request for user: m.fazel
DEBUG BindAuthenticator - Attempting to bind as uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user uid=m.fazel,ou=users,dc=myDomain,dc=org
DEBUG BindAuthenticator - Failed to bind as uid=m.fazel,ou=users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1];
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'sessionRegistry'
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'logoutSuccessHandler'
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
DEBUG TokenBasedRememberMeServices - Cancelling cookie
DEBUG SimpleUrlAuthenticationFailureHandler - Redirecting to /spring_security_login?login_error
DEBUG DefaultRedirectStrategy - Redirecting to '/hafizApps/spring_security_login?login_error'

As you can see debug result above, it caused due to Ldap error:

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

However, I have already connected to the server with JXplorer. There is no alternative error in ldap connection settings. And also the test user which I trying to connect with (i.e. m.fazel), is already declared in ldap as you can see in the figure below:

JXplorer: ldap users

After @jeemster edit:

However, uid was exactly what was written in spring security ldap authentication.I change the spring-security.xml just like jeemster said and put cn={0},ou=test instead of uid={0},ou=users. The bean with id="ldapAuthProvider" is changed to the bean demonstrated below:

<beans:bean id="ldapAuthProvider"
                <beans:constructor-arg ref="contextSource" />
                <beans:property name="userDnPatterns">
                <beans:constructor-arg ref="contextSource" />
                <beans:constructor-arg value="ou=groups" />
                <beans:property name="groupRoleAttribute" value="ou" />

Also, I create a new user in the test group and named it alialavi. The new user which created in the ldap was shown in the figure below.

enter image description here

As demonstrated in the above figure that capture from JXplorer, the distinguished name for the new user is:


But after the web application starts up, I see this error again in login page:

DEBUG UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG ProviderManager - Authentication attempt using
DEBUG LdapAuthenticationProvider - Processing authentication request for user: alialavi
DEBUG BindAuthenticator - Attempting to bind as cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG DefaultSpringSecurityContextSource - Removing pooling flag for user cn=alialavi,ou=test,dc=hafiz-co,dc=org
DEBUG BindAuthenticator - Failed to bind as CN=alialavi,OU=test: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
DEBUG UsernamePasswordAuthenticationFilter - Authentication request failed: Bad credentials
DEBUG UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler
DEBUG TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.

Again it caused error with the new distinguishedName:


Although both distinguishedName is the same, the error occurred.

Upvotes: 1

Views: 3408

Answers (1)


Reputation: 10986

I would first try changing:




Normally, uid is not a value within Microsoft Active Directory.

However, the error:

data 52e

Returns AFIK, when username is valid but password/credential is invalid.

Finally, it appears from what is posted, that


Is the samAccountName and not the cn or uid of the user. The LDAP DN being used for the bind appears to be:


Does this user appears in the directory?


Upvotes: 2

Related Questions