[FIXED] Spring Security ActiveDirectory user authentication issue

Issue

I'm new to Spring security and trying to connect to Active Directory.

I'm having issues logging in with general users. When I use '[email protected]' to login in, I don't get any debugs or anything

If I try the same username with a gibberish password, I get an the following error: [nio-8080-exec-4] ctiveDirectoryLdapAuthenticationProvider : Authentication for [email protected] failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 ]

I know that error means the username exists but the password was bad (which is what we want).

My question is why am I getting nothing when using the correct username/password.

Here is my config

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        ActiveDirectoryLdapAuthenticationProvider adProvider = new ActiveDirectoryLdapAuthenticationProvider(null,
                "ldap://10.100.2.11:389");
        adProvider.setConvertSubErrorCodesToExceptions(true);
        adProvider.setUseAuthenticationRequestCredentials(true);
        //adProvider.setSearchFilter("(&(objectClass=user)(sAMAccountName={0}))");
//        adProvider.setSearchFilter("(|" +
//                "(&(objectClass=user)(userPrincipalName={0}))" +
//                "(&(objectClass=user)(samAccountName={1}))" +
//                ")");

        auth.authenticationProvider(adProvider);
        auth.eraseCredentials(false);
    }

I've tried the commented out search filters and neither of them change any behavior.

Here's the debug when I try to login with correct credentials

2022-07-08 10:56:14.066 DEBUG 4416 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Securing POST /login
2022-07-08 10:56:14.067 DEBUG 4416 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-07-08 10:56:14.196 DEBUG 4416 --- [nio-8080-exec-7] o.s.s.web.DefaultRedirectStrategy        : Redirecting to /login?error
2022-07-08 10:56:14.197 DEBUG 4416 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-07-08 10:56:14.197 DEBUG 4416 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-07-08 10:56:14.197 DEBUG 4416 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2022-07-08 10:56:14.202 DEBUG 4416 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Securing GET /login?error
2022-07-08 10:56:14.203 DEBUG 4416 --- [nio-8080-exec-8] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2022-07-08 10:56:14.203 DEBUG 4416 --- [nio-8080-exec-8] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-07-08 10:56:14.203 DEBUG 4416 --- [nio-8080-exec-8] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2022-07-08 10:56:14.204 DEBUG 4416 --- [nio-8080-exec-8] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

Solution

Figured it out by setting the rootDn value in my config for my ActiveDirectoryLdapAuthenticationProvider to 'dc=domain, dc=com'

Answered By - Manning
Answer Checked By - David Marino (JavaFixing Volunteer)