Spring Active Directory Authentication

I have been trying (and trying) to get a Spring application to authenticate against an AD LDAP server. I keep getting "Bad credentials" exception. When I use the same username/password in a LDAP tool, it works without issue. I am using Spring Security 3.1.2 and there isn't much to configuration. Does anyone have any ideas? I just want to see it authenticate and work from there. I can't even get that to happen. Help..


<authentication-manager>
<authentication-provider ref="activeDirectoryAuthenticationProvider"/>
</authentication-manager>

<beans:bean id="activeDirectoryAuthenticationProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="my.domain.com" />
<beans:constructor-arg value="ldap://my.domain:389" />
<beans:property name="convertSubErrorCodesToExceptions" value="true"/>
</beans:bean>

Please UseCodeTags.

You are probably going to need a little more information to figure out what is happening. I would set your logger levels for org.springframework.security to DEBUG and you should get a better picture of what exactly you are missing.

Hi James,

Did you ever discover what your issue was? I'm having the exact same problem with pretty much the same setup.

I know it's hitting AD because if I use a non-existent username, I get:

DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Processing authentication request for user: batman
DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Authentication for [email protected] failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
INFO org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Active Directory authentication failed: User was not found in directory
DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

If I use an incorrect password, I get:

DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Processing authentication request for user: msolano
DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Authentication for [email protected] failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
INFO org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Active Directory authentication failed: Supplied password was invalid
DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials


However, with the correct username and password, I only get a message saying Ignoring PartialResultException (which I think is ok) and the BadCredentialsException.

DEBUG org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Processing authentication request for user: msolano
DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN ', base = dc=domain,dc=net, filter = (&(objectClass=user)(userPrincipalName={0}))
INFO org.springframework.security.ldap.SpringSecurityLdapTemplate - Ignoring PartialResultException
DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

I appreciate any feedback you or anyone else may have. Thank you!

-Mike

I believe the problem I'm seeing may be a bug in ActiveDirectoryLdapAuthenticationProvider. I found the following forum post on the spring forums:

http://forum.springsource.org/showthread.php?134991-Active-Directory-authentication-in-Spring-3-1

And I created a JIRA issue for it here since one didn't seem to exist:

https://jira.springsource.org/browse/SEC-2224

Welcome to the Ranch Mike and thanks for posting back with what you have found!

Thanks Bill! Long time lurker, first time caller

I'll update again when/if I see any traction on the JIRA issue.