Error "Exception when creating LDAP Context" in tomcat when verifying a target account
search cancel

Error "Exception when creating LDAP Context" in tomcat when verifying a target account

book

Article ID: 281341

calendar_today

Updated On: 03-28-2024

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to verify a Domain account with the right password and connected to the correct Domain controller results in the following error messages in the Tomcat log

2024-03-27T09:20:14.508+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.ADLdapContext.createLdapContext Exception when creating LDAP Context null
    java.security.PrivilegedActionException: java.security.PrivilegedActionException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52f, v4563 ]
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at com.cloakware.cspm.server.plugin.targetmanager.ADLdapContext.createLdapContext(ADLdapContext.java:95)

This is so even if it has been verified that the username and password were correct and there is connectivity to the Active Directory target application that the target account is defined for, and also that the user can independently log to Windows using its username and password.

In the Active Directory logs messages about incorrect Username and password are produced while the verifying the target account

Environment

CA PAM all versions

Cause

This error may occur when the target account which we are trying to rotate is a member of the Protected Users group. CA PAM does not support rotating or verifying passwords of users which are members of this special Windows group.

Resolution

Remove the user from the Protected Users group

Additional Information

More information about the Protected Users group can be found in the following Microsoft Reference

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group