LDAP users cannot authenticate after renaming the account with AcceptSecurityContext error, data 52e
search cancel

LDAP users cannot authenticate after renaming the account with AcceptSecurityContext error, data 52e

book

Article ID: 265911

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

On an UVMS with LDAPS enabled, the following occurs: 

  • A user authenticates to UVMS using their LDAP credentials. For example: xx0293 
  • Later, in their LDAP, they rename this user. For example: X741488
  • The password remains unchanged
  • The new username can be used elsewhere in their IT infrastructure (to log into windows, for example), so we know both the account and the password are still valid
  • When trying to log into UVMS, we get an " authentication failed" message: 
    |ERROR| uvms-pool-1-tid-10 | com.orsyp.central.ldap.MD5Login | Authentication Exception
    javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data 52e, v4563]

Here is the result of the unicheckldap command with the new user:

unicheckldap -login X741488 -password "PASSWORD" 

UVMS configured with LDAP authentication.

Init log4j from: /opt/univiewer/univiewer_server/NODE_MgtServer/data/log4j2.xml
Loading ldap.xml
********************
ldap.xml loaded. 2 configuration(s) found(s)
********************

Checking configuration: [LDAP Repository Orwell]:
Host: XXX Port: 636 SSL: true

---------------------------------------------
supported SASL mechanisms:
  + GSSAPI
  + GSS-SPNEGO
  + EXTERNAL
  + DIGEST-MD5
DIGEST-MD5 mechanism supported.
---------------------------------------------
SUCCESS Host: XXX configuration is OK
        User search filter: (&(objectClass=person)(sAMAccountName=!login!))
        User list search filter: (&(objectClass=person)(sAMAccountName=*))
        Group list search filter:
        Nested group: false
        Referral: false
SUCCESS Login: X741488 found on the LDAP server
FAILURE Login: X741488 authentication failed

At first glance, it would seem like an incorrect password as we get the classic error 49, data 52e. However, the same user with the same password worked everywhere except on UVMS.

Environment

Release : 6.x and 7.x

Component: Dollar Universe

Sub-Component: Univiewer Management Server

Context: LDAPS enabled

Cause

The password was not sent to the LDAPS with the correct value because of a wrong configuration in ldap.xml.

      <securityAuthentication>DIGEST-MD5</securityAuthentication>

This should be set  to simple in LDAP over SSL context:

      <securityAuthentication>simple</securityAuthentication>

Resolution

Modify ldap.xml and set simple for the parameter securityAuthentication in case SSL is enabled:

      <securityAuthentication>simple</securityAuthentication>

Then restart UVMS to take into account the change.

Powered by Wolken Software