Failing to login to cf cli and appsmanager with error: "LDAP: error code 49"
search cancel

Failing to login to cf cli and appsmanager with error: "LDAP: error code 49"

book

Article ID: 441887

calendar_today

Updated On:

Products

VMware Tanzu Platform Core VMware Tanzu Application Service

Issue/Introduction

  • After an upgrade or Apply Changes operation on the EAR/TAS tile, LDAP users are no longer able to log in using cf CLI or Appsmanager.
  • The error impacts all LDAP users, as well as local users (if configured).
  • The EAR/TAS tile is configured to use LDAP server in the Authentication and Enterprise SSO section of the configuration.
  • The configuration in the LDAP server section worked in the past.
  • When using cf login command, the following error will be returned:

    Authenticating...
    [LDAP: error code 49 - 80090308: LgapErr: DSID-0C090451, comment: AcceptSecurityContext error, data 52e, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090451, comment: AcceptSecurityContext error, data 52e, v3839]

Cause

This failure occurs when the Service Account used to connect to the LDAP server is configured with a password that doesn't match the expected password in LDAP. The account is configured in the EAR/TAS tile, under the Authentication and Enterprise SSO section, specifically the "LDAP credentials" configuration. This failure might occur if the EAR/TAS tile configuration is managed by a pipeline that is out of date containing an old password, or, if someone updated the credentials and saved, but didn't Apply Changes in the past.

 

Breaking down the error code reported:

  • Error code 49: General LDAP authentication failure.
  • 80090308: Microsoft-specific hex code for SEC_E_INVALID_TOKEN, which corresponds to a logon failure.
  • data 52e: The most critical part. It translates to "Invalid Credentials", meaning the username is valid, but the password provided is incorrect LDAP.
  • DSID-0C090451: An internal Microsoft Active Directory identifier that helps pinpoint the location in the AD code where the error occurred; this changes depending on the OS version of your Domain Controller.

Resolution

Edit the LDAP credentials in the EAR/TAS tile and ensure the correct username and password are used for the Service Account that can access the LDAP server. Apply Changes after ensuring the credentials are correct.

Powered by Wolken Software