"LdapAuthenticationHandler failed authenticating anotherUser <Username>" error in CAS, LDAP, ActiveDirectory
170 views
Skip to first unread message
Abhishek Kumar
Apr 4, 2016, 8:24:14 AM4/4/16
to jasig-cas-user
Hi,
I'm new to Jasig CAS setup.
I'm trying to get CAS setup with ActiveDirectory over LDAP (plan is for LDAPS but need to get the first step done first), CAS deployed over Tomcat-8.
I'm trying to get CAS setup with ActiveDirectory over LDAP (plan is for LDAPS but need to get the first step done first), CAS deployed over Tomcat-8.
I'm using Maven Overlay for (master branch of https://github.com/Jasig/cas-overlay-template.git) with modified 'pom.xml', 'etc/cas.properties' and 'src/main/webapp/WEB-INF/deployerConfigContext.xml'. I've attached here the three modified files.
This setup is starting CAS without any errors, I can open login page on browser. But when I try to authenticate using one of the existing credentials from AD. The log-in attempt fails with the very normal message
2016-04-04 11:22:42,277 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed authenticating anotherUser>
2016-04-04 11:22:42,288 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: anotherUser
WHAT: Supplied credentials: [anotherUser]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Mon Apr 04 11:22:42 UTC 2016
CLIENT IP ADDRESS: XX.ABC.P.LMN
SERVER IP ADDRESS: XX.ABC.Q.GHI
=============================================================
My guess is one of the 'cas.properties' configuration or 'deployerConfigContext.xml' attributes are messy and I'm not able to identify them due to my incomplete knowledge on topic.
Any pointers or trial guidelines will be helpful.
Also in general critic of what is extra or missing from a good configuration front would be helpful as well. Thanks
Regards,
AbhishekKr
Abhishek Kumar
Apr 4, 2016, 8:33:38 AM4/4/16
to CAS Community
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/573c8969-9cbf-4867-bf15-2bdd8b87fb68%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
vallee.romain
Apr 5, 2016, 4:44:02 AM4/5/16
to CAS Community
Hello,
<groupId>${project.groupId}</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${project.version}</version>
i had the same probleme .
Add support saml in pom.xml and try again
<groupId>${project.groupId}</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${project.version}</version>
Abhishek [ABK] Kumar
Apr 5, 2016, 5:30:24 AM4/5/16
to vallee.romain, CAS Community
Hi Vallee,
Thanks for the response.
I do have the config you specified as
```
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${cas.version}</version>
<scope>runtime</scope>
</dependency>
```
in my pom.xml.
I've attached updated file (pom.xml, deployerConfigContext.xml and
cas.properties) in initial mail, if you want to review.
Regards,
AbhishekKr
On 4/5/16, vallee.romain <vallee...@gmail.com> wrote:
> Hello,
> i had the same probleme .
> Add support saml in pom.xml and try again
>
>
> <groupId>${project.groupId}</groupId>
>
> <artifactId>cas-server-support-saml</artifactId>
>
> <version>${project.version}</version>
>
>
> Le lundi 4 avril 2016 14:33:37 UTC+2, Abhishek Kumar a écrit :
>>
>> Hi,
>>
>> I'm new to Jasig CAS setup.
>> I'm trying to get CAS setup with ActiveDirectory over LDAP (plan is for
>> LDAPS but need to get the first step done first), CAS deployed over
>> Tomcat-8.
>>
>> I'm using Maven Overlay for (master branch of
>> https://github.com/Jasig/cas-overlay-template.git) with modified
>> 'pom.xml', 'etc/cas.properties' and
>> 'src/main/webapp/WEB-INF/deployerConfigContext.xml'. I've attached here
>> the
>> three modified files.
>>
>> This setup is starting CAS without any errors, I can open login page on
>> browser. But when I try to authenticate using one of the *existing*
*there might be 's/tyops/typos/g' in mail, multi-tasking hazards*
Regards,
Abhishek Kumar ( *http://abhishekkr.github.io/
<http://abhishekkr.github.io/> )*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~=ABK=~
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKijsPObnJ7Xb7cGwNc_ZzYUW%3DMyHgq4-PAesMwTmTU14NEv1w%40mail.gmail.com.
Thanks for the response.
I do have the config you specified as
```
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${cas.version}</version>
<scope>runtime</scope>
</dependency>
```
in my pom.xml.
I've attached updated file (pom.xml, deployerConfigContext.xml and
cas.properties) in initial mail, if you want to review.
Regards,
AbhishekKr
On 4/5/16, vallee.romain <vallee...@gmail.com> wrote:
> Hello,
> i had the same probleme .
> Add support saml in pom.xml and try again
>
>
> <groupId>${project.groupId}</groupId>
>
> <artifactId>cas-server-support-saml</artifactId>
>
> <version>${project.version}</version>
>
>
> Le lundi 4 avril 2016 14:33:37 UTC+2, Abhishek Kumar a écrit :
>>
>> Hi,
>>
>> I'm new to Jasig CAS setup.
>> I'm trying to get CAS setup with ActiveDirectory over LDAP (plan is for
>> LDAPS but need to get the first step done first), CAS deployed over
>> Tomcat-8.
>>
>> I'm using Maven Overlay for (master branch of
>> https://github.com/Jasig/cas-overlay-template.git) with modified
>> 'pom.xml', 'etc/cas.properties' and
>> 'src/main/webapp/WEB-INF/deployerConfigContext.xml'. I've attached here
>> the
>> three modified files.
>>
>> This setup is starting CAS without any errors, I can open login page on
>> credentials
>> from AD. The log-in attempt fails with the very normal message
>>
>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *2016-04-04 11:22:42,277 INFO
>> from AD. The log-in attempt fails with the very normal message
>>
>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
>>> <LdapAuthenticationHandler failed authenticating anotherUser>2016-04-04
>>> 11:22:42,288 INFO
>>> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>>>
>>> trail record
>>> BEGIN=============================================================WHO:
>>> anotherUserWHAT: Supplied credentials: [anotherUser]ACTION:
>>> AUTHENTICATION_FAILEDAPPLICATION: CASWHEN: Mon Apr 04 11:22:42 UTC
>>> <LdapAuthenticationHandler failed authenticating anotherUser>2016-04-04
>>> 11:22:42,288 INFO
>>> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>>>
>>> trail record
>>> BEGIN=============================================================WHO:
>>> anotherUserWHAT: Supplied credentials: [anotherUser]ACTION:
>>> 2016CLIENT IP ADDRESS: XX.ABC.P.LMNSERVER IP ADDRESS:
>>> XX.ABC.Q.GHI=============================================================*
>>
>>
>>
>> My guess is one of the 'cas.properties' configuration or
>> 'deployerConfigContext.xml' attributes are messy and I'm not able to
>> identify them due to my incomplete knowledge on topic.
>>
>> Any pointers or trial guidelines will be helpful.
>>
>> Also in general critic of what is extra or missing from a good
>> configuration front would be helpful as well. Thanks
>>
>> Regards,
>> AbhishekKr
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/492357cb-61e4-4ba8-bd2e-e98e6fc6fdf4%40apereo.org.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
--
>>
>>
>> My guess is one of the 'cas.properties' configuration or
>> 'deployerConfigContext.xml' attributes are messy and I'm not able to
>> identify them due to my incomplete knowledge on topic.
>>
>> Any pointers or trial guidelines will be helpful.
>>
>> Also in general critic of what is extra or missing from a good
>> configuration front would be helpful as well. Thanks
>>
>> Regards,
>> AbhishekKr
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/492357cb-61e4-4ba8-bd2e-e98e6fc6fdf4%40apereo.org.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
*there might be 's/tyops/typos/g' in mail, multi-tasking hazards*
Regards,
Abhishek Kumar ( *http://abhishekkr.github.io/
<http://abhishekkr.github.io/> )*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~=ABK=~
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Vallee Romain
Apr 5, 2016, 6:32:04 AM4/5/16
to jasig-cas-user, abhiku...@gmail.com
Can you turn debug on ?
Abhishek [ABK] Kumar
Apr 5, 2016, 7:53:02 AM4/5/16
to Vallee Romain, CAS Community
adding correct CAS community group id
On Tue, Apr 5, 2016 at 5:13 PM, Abhishek [ABK] Kumar <abhiku...@gmail.com> wrote:
Hi Vallee,I've attached the current set of 'deployConfigContext.xml' and 'cas.properties' .Log can be viewed atThe seemingly interesting portion from it are (not exactly sure what or why)* 'successful bind must be completed on the connection'
[org.ldaptive.auth.Authenticator] - <entry resolution failed for resolver=[org.ldaptive.auth.SearchEntryResolver@499577695::factory=null, baseDn=, userFilter=null, userFilterParameters=null, allowMultipleEntries=false, subtreeSearch=false, derefAliases=null, referralHandler=null, searchEntryHandlers=null]>
org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name 'some...@some.organization.internal'
at org.ldaptive.provider.ProviderUtils.throwOperationExceptionHere values (of baseDn, userFilter, subtreeSearch) are not what I provided in cas.properties and inferred in XML. I have used different names but I tried it with default names as from doc and logs had same symptoms.* the above log is followed by 'Authentication succeeded for dn: some...@some.organization.internal'Now this is confusing, it did but it don't. Even the 'authenticate response' log later has tokens 'result=true, resultCode=SUCCESS'.* then again the old log appears 'LdapAuthenticationHandler failed authenticating someuser'and the log-in fails on CAS Web-UI.
there might be 's/tyops/typos/g' in mail, multi-tasking hazards
Regards,
Abhishek Kumar ( http://abhishekkr.github.io/ )~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=ABK=~
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKijsPPi_YP1vR5eO%3DGZKVFyzFFS8cwGXf7QtqWqYUd2hSJMqA%40mail.gmail.com.You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Abhishek [ABK] Kumar
Apr 5, 2016, 9:11:53 AM4/5/16
to Vallee Romain, CAS Community, Misagh Moayyed
Hi,
I did a little tweak with 'deployerConfigContext.xml' regarding 'bind' from
...
p:connectionInitializer-ref="fastBindConnectionInitializer" />
<bean id="fastBindConnectionInitializer"
class="org.ldaptive.ad.extended.FastBindOperation.FastBindConnectionInitializer">
...
to
...
p:connectionInitializer-ref="bindConnectionInitializer" />
<bean id="bindConnectionInitializer"
class="org.ldaptive.BindConnectionInitializer"
p:bindDn="${ldap.authn.managerDN}">
<property name="bindCredential">
<bean class="org.ldaptive.Credential"
c:password="${ldap.authn.managerPassword}" />
</property>
</bean>
....
And now the bind error has been replaced by
* 'problem 2006 (BAD_NAME), data 8350'
016-04-05 13:02:47,089 DEBUG [org.ldaptive.auth.Authenticator] - <entry resolution failed for resolver=[org.ldaptive.auth.SearchEntryResolver@76445512::factory=null, baseDn=, userFilter=null, userFilterParameters=null, allowMultipleEntries=false, subtreeSearch=false, derefAliases=null, referralHandler=null, searchEntryHandlers=null]>org.ldaptive.LdapException: javax.naming.InvalidNameException: some...@some.organization.internal: [LDAP: error code 34 - 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of:'some...@some.organization.internal']; remaining name 'some...@some.organization.internal'at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55) ~[ldaptive-1.1.0.jar:?]s
Other 2 success logs and then auth failure is still same.
there might be 's/tyops/typos/g' in mail, multi-tasking hazards
Regards,
Abhishek Kumar ( http://abhishekkr.github.io/ )
Abhishek Kumar ( http://abhishekkr.github.io/ )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~=ABK=~
Abhishek [ABK] Kumar
Apr 6, 2016, 4:22:39 AM4/6/16
to Vallee Romain, CAS Community, Misagh Moayyed, jasig-cas-user
Current state, with ldaptive debug on
Logs show 'resultCode=SUCCESS' for all following
I'm stuck now, as there are no errors/sever/warn in logs to go after.
There are no errors displayed in any logs. Log portion for log-in is available here 'http://pastebin.com/4U85FfEs'.
* 'org.ldaptive.SearchOperation',
* 'org.ldaptive.BindOperation',
* 'org.ldaptive.auth.PooledBindAuthenticationHandler',
* 'org.ldaptive.auth.Authenticator'.
Then just prints
2016-04-06 06:46:40,298 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed authenticating someUser>
I'm stuck now, as there are no errors/sever/warn in logs to go after.
I've attached current updated state of modified files (deployConfigContext.xml, cas.properties, pom.xml) from Maven Overlay.
there might be 's/tyops/typos/g' in mail, multi-tasking hazards
Regards,
Abhishek Kumar ( http://abhishekkr.github.io/ )
Abhishek Kumar ( http://abhishekkr.github.io/ )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~=ABK=~
Misagh Moayyed
Apr 6, 2016, 7:27:51 AM4/6/16
to CAS Community
What do your CAS logs say at DEBUG?
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/000401d18ff7%245651cab0%2402f56010%24%40unicon.net.To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Abhishek [ABK] Kumar
Apr 6, 2016, 8:54:53 AM4/6/16
to jasig-cas-user, CAS Community
Hi Misagh,
CAS log in debug mode show following trail while log-in attempt.
I've attached the deploymentConfigContext.xml and cas.properties used for this attempt.
==> /tmp/cas.log <==
2016-04-06 12:37:38,200 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@310716820::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=some...@some.organization.internal, ldapEntry=[dn=some...@some.organization.internal[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]
2016-04-06 12:37:38,201 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - No ldap password policy configuration is defined
2016-04-06 12:37:38,201 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response returned as result. Creating the final LDAP principal
2016-04-06 12:37:38,201 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Creating LDAP principal for someUser based on some...@some.organization.internal
2016-04-06 12:37:38,202 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler failed authenticating someUser
2016-04-06 12:37:38,202 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler exception details: sAMAccountName attribute not found for someUser
2016-04-06 12:37:38,205 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [AuthenticationTransaction] for audit
2016-04-06 12:37:38,205 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [UsernamePasswordCredential] for audit
2016-04-06 12:37:38,207 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: someUser
WHAT: Supplied credentials: [someUser]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Wed Apr 06 12:37:38 UTC 2016
CLIENT IP ADDRESS: XX.ABC.P.LMN
SERVER IP ADDRESS: XX.ABC.Q.GHI
=============================================================
Also,
Apart from this, I tried using '<ldaptive:>' node for 'authenticator'. That failed authentication with error that 'dn=null' i.e. 'DN can't be resolved'.
there might be 's/tyops/typos/g' in mail, multi-tasking hazards
Regards,
Abhishek Kumar ( http://abhishekkr.github.io/ )
Abhishek Kumar ( http://abhishekkr.github.io/ )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~=ABK=~
You received this message because you are subscribed to a topic in the Google Groups "jasig-cas-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jasig-cas-user/0cQwbWacewk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jasig-cas-use...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Misagh Moayyed
Apr 6, 2016, 11:15:22 AM4/6/16
to CAS Community
The error is what you highlighted: sAMAccountName attribute not found for someUser
Either resolve the attribute or remove it.
--
Misagh
Misagh
From: Abhishek [ABK] Kumar <abhiku...@gmail.com>
Reply: Abhishek [ABK] Kumar <abhiku...@gmail.com>
Date: April 6, 2016 at 5:55:03 AM
To: jasig-cas-user <jasig-c...@googlegroups.com>
CC: CAS Community <cas-...@apereo.org>
Subject: Re: [cas-user] RE: "LdapAuthenticationHandler failed authenticating anotherUser " error in CAS, LDAP, ActiveDirectory
sAMAccountName attribute not found for someUser
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.570527fc.1bedd7fd.8843%40mmoayyed-4.local.To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Abhishek [ABK] Kumar
Apr 7, 2016, 8:58:36 AM4/7/16
to jasig-c...@googlegroups.com, CAS Community, Misagh Moayyed, vallee.romain
Hi,
Thanks all (esp. Misagh and Vallee).
I had bunch of issues to fix through since I first started the thread.
The last one was my mis-information on 'baseDn', I had an extra
'cn=...' which I thought to be true but AD config was somehow not
reflecting it, maybe needs a restart (Windows) or something.
But the 'sAMAccount attribute not found' error got fixed by correction
of 'baseDn'.
Regards,
AbhishekKr
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jasig-cas-user/0cQwbWacewk/unsubscribe.
Thanks all (esp. Misagh and Vallee).
I had bunch of issues to fix through since I first started the thread.
The last one was my mis-information on 'baseDn', I had an extra
'cn=...' which I thought to be true but AD config was somehow not
reflecting it, maybe needs a restart (Windows) or something.
But the 'sAMAccount attribute not found' error got fixed by correction
of 'baseDn'.
Regards,
AbhishekKr
> You received this message because you are subscribed to a topic in the
> Google Groups "jasig-cas-user" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jasig-cas-user/0cQwbWacewk/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> jasig-cas-use...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> jasig-cas-use...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages