[cas-user] CAS 4.2.5 - AD authentication failed

123 views
Skip to first unread message

KERAIN Stéphane

unread,
Oct 12, 2016, 9:31:18 AM10/12/16
to CAS Community
Hi,

I'm trying to configure my CAS server for AD authentication. I've read the documentation several times and do multiple try but nothing to do, AD authentication failed.

Need some help, please. :)

Best regards, Stépĥane.

---
cas.properties:

server.name=https://my-cas-server:8028
server.prefix=${server.name}/cas

host.name=my-cas-server.my-domain

webflow.encryption.key=jVOzaqhPXOgMbakc
webflow.signing.key=QIsan9FM86T-1W8QZaDmD8N3VzZC9P2YrWqxNWMN-qLFujSt0EShBZdzVtC5ttTRTGMB6pyWzIA3zI2VDk4yrg

accept.authn.users=casuser::Mellon

ldap.url=ldap://my-ldap-server.my-domain:389
ldap.useStartTLS=false
ldap.rootDn=dc=my-domain,dc=global-domain
#ldap.baseDn=OU=USERS,OU=MY-OU,DC=my-domain,DC=global-domain
ldap.baseDn=DC=my-domain,DC=global-domain
ldap.connectTimeout=3000
#ldap.managerDn=CN=my-manager,OU=DOMAINE,OU=ADMINISTRATEUR,OU=USERS,OU=MY-OU,DC=my-domain,DC=global-domain
ldap.managerDn=my-ma...@my-domain.global-domain
ldap.managerPassword=manager-password
ldap.pool.minSize=1
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
ldap.pool.blockWaitTime=3000
ldap.pool.validatePeriod=300
ldap.pool.prunePeriod=300
ldap.pool.idleTime=600
ldap.authn.searchFilter=cn={user}
ldap.domain=my-domain.global-domain
ldap.usePpolicy=false
ldap.allowMultipleDns=false

---

catalina.out:

2016-10-12 14:54:33,364 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@237353622::bindDn=my-...@my.domain, saslConfig=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@896428015::config=[org.ldaptive.ConnectionConfig@1457929333::ldapUrl=ldap://my-server.mydomain:389, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1737965895::bindDn=my-...@my.domain, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1727525661::metadata=[ldapUrl=ldap://my-server.mydomain:389, count=1], environment={com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@135425996::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.DefaultConnectionStrategy@10afcf37, controlProcessor=org.ldaptive.provider.ControlProcessor@3ae04798, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@6579518f]>
2016-10-12 14:54:33,374 ERROR [org.ldaptive.pool.BlockingConnectionPool] - <[org.ldaptive.pool.BlockingConnectionPool@923455700::name=bind-pool, poolConfig=[org.ldaptive.pool.PoolConfig@259215693::minPoolSize=1, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@1357400872::searchRequest=[org.ldaptive.SearchRequest@1061773616::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@1429310040::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@306776633::provider=org.ldaptive.provider.jndi.JndiProvider@15221fc1, config=[org.ldaptive.ConnectionConfig@1457929333::ldapUrl=ldap://my-server.mydomain:389, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1737965895::bindDn=my-...@my.domain, bindSaslConfig=null, bindControls=null]]], initialized=false, availableCount=0, activeCount=0] unable to connect to the ldap>
org.ldaptive.LdapException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55) ~[ldaptive-1.1.0.jar:?]
        at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619) ~[ldaptive-1.1.0.jar:?]
...

--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a216dce-5929-4532-9b87-8de016427287%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
deployerConfigContext.xml
pom.xml

KERAIN Stéphane

unread,
Oct 12, 2016, 11:00:10 AM10/12/16
to CAS Community
Tried with success:

ldapsearch -T -x -H ldap://my-ldap-server.my-domain:389 -b 'DC=my-domain,DC=global-domain' -w 'manager-password' -D 'my-manager@my-domain.global-domain' -Z sAMAccountName='some username here that exists in your AD'

--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/31ac62b2-aa2f-4b55-a3f6-faa20e0dd740%40apereo.org.

'Patrick Gardella' via CAS Community

unread,
Oct 12, 2016, 11:05:28 AM10/12/16
to Stephane KERAIN, cas-...@apereo.org
UTF-8 characters in the password might be the problem.  Are you using Java 7 or 8?

Looking at the Java spec, it expects ISO-8859-1 encoding on the file if you are using Java 7:

Java 8 looks like it uses UTF-8 by default now:

Someone else who is more familiar with the code base can tell me if I'm wrong here.

Patrick+



On Wed, Oct 12, 2016 at 10:54 AM, Stephane KERAIN <stephan...@infodb.fr> wrote:

First, thank you for your help. :)


I tried your test (I already do it) and it success: I'm able to read user info from AD. The password contains UTF-8 characters, do you think it would be an encoding issue ?


Stéphane KERAIN [Cliquez-ici pour en savoir plus...]

De : Patrick Gardella <patrick.gardella@asburyseminary.edu>
Envoyé : mercredi 12 octobre 2016 16:20:44
À : Stephane KERAIN
Objet : Re: [cas-user] CAS 4.2.5 - AD authentication failed
 
If I'm reading your log correctly (I'm fairly new to this myself), I see that AD is returning an error code 52e near the end of your log snippet:
 [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580^@]

Looking up that error code points to "invalid credentials".  (See http://www-01.ibm.com/support/docview.wss?uid=swg21290631 for details)  Since it is not returnning a "data 525" error, that means that it recognizes the user, but you have the wrong password.

If you are running this on a Linux system, you can install the ldap-utils package
sudo apt-get install libnss-ldap ldap-utils
and then run a query from the command line, to make sure you have things setup properly.  Using your variables, the command would be:

ldapsearch -T -x -H ldap://my-ldap-server.my-domain:389 -b 'DC=my-domain,DC=global-domain' -w 'manager-password' -D 'my-manager@my-domain.global-domain' -Z sAMAccountName='some username here that exists in your AD'

Patrick+

On Wed, Oct 12, 2016 at 9:31 AM, KERAIN Stéphane <stephan...@infodb.fr> wrote:
Hi,

I'm trying to configure my CAS server for AD authentication. I've read the documentation several times and do multiple try but nothing to do, AD authentication failed.

Need some help, please. :)

Best regards, Stépĥane.

---
cas.properties:

server.name=https://my-cas-server:8028
server.prefix=${server.name}/cas

host.name=my-cas-server.my-domain

webflow.encryption.key=jVOzaqhPXOgMbakc
webflow.signing.key=QIsan9FM86T-1W8QZaDmD8N3VzZC9P2YrWqxNWMN-qLFujSt0EShBZdzVtC5ttTRTGMB6pyWzIA3zI2VDk4yrg

accept.authn.users=casuser::Mellon

ldap.url=ldap://my-ldap-server.my-domain:389
ldap.useStartTLS=false
ldap.rootDn=dc=my-domain,dc=global-domain
#ldap.baseDn=OU=USERS,OU=MY-OU,DC=my-domain,DC=global-domain
ldap.baseDn=DC=my-domain,DC=global-domain
ldap.connectTimeout=3000
#ldap.managerDn=CN=my-manager,OU=DOMAINE,OU=ADMINISTRATEUR,OU=USERS,OU=MY-OU,DC=my-domain,DC=global-domain
ldap.managerDn=my-manager@my-domain.global-domain

ldap.managerPassword=manager-password
ldap.pool.minSize=1
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
ldap.pool.blockWaitTime=3000
ldap.pool.validatePeriod=300
ldap.pool.prunePeriod=300
ldap.pool.idleTime=600
ldap.authn.searchFilter=cn={user}
ldap.domain=my-domain.global-domain
ldap.usePpolicy=false
ldap.allowMultipleDns=false

---

catalina.out:

2016-10-12 14:54:33,364 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@237353622::bindDn=my-user@my.domain, saslConfig=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@896428015::config=[org.ldaptive.ConnectionConfig@1457929333::ldapUrl=ldap://my-server.mydomain:389, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1737965895::bindDn=my-user@my.domain, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1727525661::metadata=[ldapUrl=ldap://my-server.mydomain:389, count=1], environment={com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@135425996::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.DefaultConnectionStrategy@10afcf37, controlProcessor=org.ldaptive.provider.ControlProcessor@3ae04798, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@6579518f]>
2016-10-12 14:54:33,374 ERROR [org.ldaptive.pool.BlockingConnectionPool] - <[org.ldaptive.pool.BlockingConnectionPool@923455700::name=bind-pool, poolConfig=[org.ldaptive.pool.PoolConfig@259215693::minPoolSize=1, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@1357400872::searchRequest=[org.ldaptive.SearchRequest@1061773616::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@1429310040::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@306776633::provider=org.ldaptive.provider.jndi.JndiProvider@15221fc1, config=[org.ldaptive.ConnectionConfig@1457929333::ldapUrl=ldap://my-server.mydomain:389, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1737965895::bindDn=my-user@my.domain, bindSaslConfig=null, bindControls=null]]], initialized=false, availableCount=0, activeCount=0] unable to connect to the ldap>
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAO6jAwvuHTGdOAoPHFfsO1Q4bOVOzSeTBOmp%2BSDndPfAYz2z2g%40mail.gmail.com.

KERAIN Stéphane

unread,
Oct 13, 2016, 3:02:05 AM10/13/16
to CAS Community
I change my password and omit "special" characters and connection to AD succeed. If I have qualified the anomaly, I don't understand why: I'm using tomcat 8 on JDK 8 for CAS overlay webapp. I tried to change cas.authn.password.encoding.char property to UTF-8 in cas.properties but the connection with AD still failed with the original password. Do I have to compile CAS overlay with JDK 7 ? What is the purpose of cas.authn.password.encoding.char property in that case ?

--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/86194ccb-a2b8-482d-9e0c-5a664a6aaceb%40apereo.org.
Reply all
Reply to author
Forward
0 new messages