Active Directory kerberos authentication ticket control

Similar Questions

• ESX - integration with Active Directory: Kerberos?

  Hi all

  We set up the integration of ads for SSH on ESX 3.5 U3 accounts.

  esxcfg-auth - enablead works very well:

  esxcfg-auth - enablead - addomain = our.domain.com - addc = our.domain.com

  For some reason, there was already an additional line in the configuration script: esxcfg-auth - enablekrb5

  esxcfg-auth--enablekrb5--krb5realm=our.domain.com--krb5kdc=our.domain.com--krb5adminserver=our.domain.com

  Things go awry as soon as the last command entered.

  When you add a local account with this powershell command, we get this error:

  New-VMHostAccount: 12/05/2009-10:17:11 new-VMHostAccount 52976ebb - 2 d 24

  -f493-9aa3-bca7894ef581 a general error has occurred: passwd: Authenticate

  mishandling symbolic ion

  The local account is created, but the equivalent of Active Directory gets locked out, after several of these events:

  Failed prior authentication

  User name: USER-TEST

  ID: DOMAIN\TEST-USER

  Service name: kadmin/changepw

  Pre-authentication type: 0x0

  Error code: 0 x 19

  Customer's address: 10.10.120.16

  Now, I have two questions for you:

  1 - does anyone how to solve the problem of blocking

  2 East - -enablekrb5 necessary? What gives me extra in addition to enablead-

  Thanks for your help!

  Kind regards

  Harold

  enablekrb5 is not necessary.  The enablead will set up your kerberos configuration to talk to ad.  the krb5 option is used when you use a KDC that does not have active directory.  In addition, when you create an account on the side ESX, it's pretty much an account without password.  At least no password in UNIX file perspective shadow.  Authentication works by checking the files local to the user name (since the announcement does not serve for the Pb of the user, only authentication), then check the password in the local files, which do not have a password, so failure, and continuing to the announcement through kerberos, for a successful verification.  If you try to create an account with a password on the ESX system, then this is the problem.  You don't need to put it, in fact, it must be without password, so without posting, the user can connect to the system via ssh not effectively or console.

  -KjB

  VMware vExpert

• Active Directory for authentication - authorization database

  Hello
  
  I searched a lot but could not find a way to work to do and I have Weblogic Server 10.3.4. My problem is; I currently have an Authenticator SQL read-only which validates the name of user and password and he also holds a group membership of those users. Thus, the when users are connected to our Flex application, they are authenticated and authorized through this security provider. Now, I want to * move the part name validation of username/password to Active Directory * and group membership and other roles etc will stay in the read-only SQL authenticator. To do this, I added the second security provider to my Kingdom which is Active Directory Authenticator, but right now because users are authenticated via Active Directory roles, the etc group memberships do not come to the user, resulting in not to be able to call EJB.
  
  So my question is, How can I manipulate simply authenticate users to Active Directory and other parties (roles, groups) of database (in the database I don't store the password more meaningless it longer)? Do I have to write a custom provider to do this, if this is the case can show you a way to work from the merger of two suppliers of security?
  
  Thank you.

  Yes, you will need to create a security provider for this.

  -Faisal
  http://www.WebLogic-wonders.com

• 6.0 ESXi host Active Directory Group authentication works in the hull but no client

  Got a weird here.

  Add 6.0 host vSphere to Active Directory.

  Added a group of pub with the Administrator role.

  I can authenticate with an AD user account that is a member of this group of ads, using SSH or Shell access.

  I cannot authenticate with an account AD who is a member of this group of ads using the Web UI or Client vSphere linking directly to the host.

  If I add the domain user directly with the role of administrator on the host computer permissions, the Web GUI and vSphere Client will be authenticate using the user of the AD.

  What it looks like access using SSH/Shell, vSphere host can burst of belonging to a group and to authenticate, but using the GUI Web or vSphere Client he can't.  There are not a lot of sense to me.

  The hostd.log file has nothing in it which is very informative, just a line saying "status: success accepted password for the user", followed by the event 131: could not connect the user without permission.

  Hello

  If you are in 6.0 Update 2? Then, this article could describe your problem:

  https://KB.VMware.com/kb/2145400

  Please try the fix and let us know if it helps.

  -Andreas

• View the authentication information active directory with PowerCLI

  How can I get a list of all the hosts that don't use active directory for authentication local environment using powerCLI?

  Try like this

  Get-VMHost | Get-VMHostAuthentication |

  where {$_.} Area - eq $null} |

  Select @{N = "Name"; E={$_. VMHost.Name}}

• Principal name for Active Directory "domain users".

  Hello
  
  I integrated successufully Weblogic & Active Directory Kerberos (SINGLE sign-on). I tested a web application and successifully logined with authentication.
  The system automatically recognizes my Active Directory user name. It worked.
  
  For authentication in my weblogic.xml I used
  
  < security-role-assignment >
  Admin > role name < < / role name >
  Kursat < SPN > < / main-name >
  < SPN > Fenerbahçe < / main-name >
  < / security role assignment >
  
  Now I am trying to allow all domain members authenticate my request. For my application, I need only the usernames of the directory an actress for them.
  
  To do this, I removed "Chris", "fenerbahce" of my weblogic.xml
  Kursat < SPN > < / main-name >
  < SPN > Fenerbahçe < / main-name >
  
  I added
  users in domain < SPN > - < / main-name >
  rather than write all users in the domain.
  
  However, I could not authenticate. I got the "Error 403 - Forbidden".
  
  Y does it can someone help me?

  test by creating a domain users groups and use it as your primary name in your weblogic.xml

  -Faisal
  http://www.WebLogic-wonders.com

• Directory LDAP authentication scheme does not

  I did some research on how to use active directory for authentication and it seems pretty obvious, but it does not for me in the APEX, while trying to authenticate the Works database.

  I created a new authentication system

  System type: LDAP Directory Service

  Host: < < Directory Server Active > >

  Port: 389

  DN: < < FIELD > > \%LDAP_USER%

  Use the distinguished name exactly: Yes

  I made sure that the new authentication scheme is underway.

  What application is running and I'm trying to connect, debug displays:

  ... Authentication failed: Invalid Login Credentials < div id = "apex_login_throttle_div" > please wait < span id = "apex_login_throttle_sec" > seconds 30 </span > to log in again. < / div

  But, I ran a test database using this code below that I found on the web and it runs without exception, so I don't know my settings, domain, host, port, user and password are correct.  Y at - it a step that I forget?

  DECLARE

  l_retval PLS_INTEGER;

  l_retval2 PLS_INTEGER;

  l_session dbms_ldap.session;

  l_ldap_host VARCHAR2 (256);

  l_ldap_port VARCHAR2 (256);

  l_ldap_user VARCHAR2 (256);

  l_ldap_passwd VARCHAR2 (256);

  l_ldap_base VARCHAR2 (256);

  BEGIN

  l_retval: = - 1;

  dbms_ldap.use_exception: = TRUE;

  l_ldap_host: = '< < ad server > > ';

  l_ldap_port: = '389';

  l_ldap_user: = ' < < MY AREA > >-< < my user > > ';

  l_ldap_passwd: = '< < password > > ';

  l_session: = dbms_ldap.init (l_ldap_host, l_ldap_port);

  l_retval: = dbms_ldap.simple_bind_s(l_session,l_ldap_user,l_ldap_passwd);

  dbms_output.put_line (' return value: ' | l_retval);

  l_retval2: = dbms_ldap.unbind_s (l_session);

  EXCEPTION

  WHILE OTHERS THEN

  dbms_output.put_line (rpad ('ldap session', 25, ' ') |) ': ' ||

  RAWTOHEX (substr (l_session, 1, 8)).

  '(retourné depuis init)");

  dbms_output.put_line (' error: ' |) SQLERRM | ' ' || SQLCODE);

  dbms_output.put_line (' user: ' | l_ldap_user);

  dbms_output.put_line (' host: ' | l_ldap_host);

  dbms_output.put_line ('port: ' | l_ldap_port);

  l_retval: = dbms_ldap.unbind_s (l_session);

  END;

  Hello

  If it works in the database, perhaps it is a typing error in your frame at the APEX?

  Create PL/SQL processes "on the charge before the header' on connection and as a PL/SQL block page for this entry process:

  begin
    APEX_DEBUG.ENABLE(apex_debug.c_log_level_engine_trace);
  end;
  

  Then run application, try to login and check the debug information. Maybe you'll find some clues to solve your problem.

• VCOPS 5.8 - where is the "Active Directory integration"?

  5.8 Notes version is a "novelty".

  Authentication options with the new integration with active directory for authentication.

  Where is this new option? All I see is former "LDAP import', which works, somehow. I was expecting something more easy to AD.

  I understand that it was a typo in the rel notes, because there is no change in the integration of Ops 5.8 vC ads. I think that this excerpt was intended to rel Insight journal notes, that add features more AD.

• Installation of Active Directory LDAP for the editor

  I hope it is easy.
  I have 10.3.4.1 BEEP and answers/dashboards. Answers/dashboard currently use active directory for authentication. I would like to do the same thing with BEEP.
  How can I do?
  Since I have now two products I have to go to a place of business?
  
  
  Article links would be fine. There is nothing in the manual of the editor on LDAP or Security (really). The websites I found display a file xml with a series of parameters, but they seem to refer to an earlier version of publisher.
  
  Should be easy points.

  Did you check this: http://download.oracle.com/docs/cd/E12844_01/doc/bip.1013/e12188.pdf?

  Your version is 10.1.3.4.1?

  Thank you!

• Strategy of Kerberos WinServer2008r2 Active Directory group

  Hi all

  Need help bad in this. I'm trying to implement kerberos on my active directory. What I understand is kerberos is the default and the primary authentication protocol used when connected to a domain, but where and how do I configure kerberos settings in group policy? I managed to find configurations of kerberos in the "Local Group Policy Editor", but this would not push configurations to my clients right?

  I want to disable NTLM authentication as well and once again I can found under local policies > security options, but they are all local policies right? Is it possible that I can disable NTLM on my active directory and ensure that these settings are applied to my both client computers?

  Thank you so much in advance!
  PS: Sorry if I got some of my facts wrong, I'm a student performs internship and my understanding in active directory is not as strong.

  Server forums are more on the side the web site of Microsoft TechNet,
  This is where you find people who know.

  http://social.technet.Microsoft.com/forums/en-us/categories

• Firepower does not work when using the Active Directory group as a rule filter access control

  I am PoV of Cisco ASA with the power of fire with my client. I would like to integrate the power of fire to MS Active Directory. Everything seems to work properly.

  -Fire power user agent installation to complete successfully. Connection to AD work fine. The newspaper is GREEN.

  -J' created a Kingdom in FireSight and you can download users and groups from Active Directory.

  -J' created a politics of identity with passive authentication (using the field I created)

  -Can I use the AD account "user" as a filter in access control rule and it work very well.

  However, if I create the rule of access control with AD Group', the rule never get match. I'm sure that the user that I test is a member of the group. Connection event show the system to ignore this rule and the traffic is blocked by the default action below. It doesn't look like the firepower doesn't know that the user belongs to the group.

  I use

  -User agent firepower for Active Directory v2.3 build 10.

  -ASA 5515 software Version 9.5 (2)

  -Fire version 6.0.0 - 1005 power module

  -Firepower for VMWare Management Center

  Any suggestion would be appreciated. Thanks in advance.

  Hello

  You should check the download user under domain option. Download the users once belonging to a group is specified on the ad and then test the connection.

  Thank you

  Yogesh

• Windows Server 2008 R2, with two Windows Storage Server 2003 Standard: How can I add the MAC authentication on top of Active Directory authentication for a storage servers?

  I have two running Windows Storage Server 2003 storage servers in a domain R2 Windows Server 2008 Standard.  On top of the Active Directory authentication, I want to add authentication of MAC address for the access to one of the storage servers.  In this scenario, an authenticated user is unable to log on to the target storage server unless the user is also on one of the computers MAC address accepted.  All domain users will have access to other folders and files as configuration storage server in Active Directory.  I already have a user access to installation by the permissions for folders on the storage server target, but I still want to restrict access to specific computers as well.  For what it's worth the server hardware is HP Proliant DL360 G5 for the Standard Server 2008 R2 and server HP Proliant DL185 G5 for two Storage Server 2003 computers.  I don't want to have MAC address authentication as the main means of access control to the network, only for the storage server a as an addition to control Active Directory.

  Hi Kerry,

  The question you posted would be better suited in the TechNet Server Forums since we have dedicated to this support; We recommend that you post your question in the TechNet Forums to get help:

  http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

  Keep us informed on the status of the issue.

• authentication Microsoft Active Directory iDRAC 7

  Hello

  I installed Microsoft Active Directory on iDRAC 7 with some very basic options (no certificate, no Single Sign-On, not Kerberos Keytab, the Standard schema). Everything works fine.

  The problem is that we have 2 forests with full trust configured between them and iDRAC is not able to authenticate the users of both of them.

  Basically, we have the single domain on 1 security group and pair the users of these two forests (1 and foret2). If I add domain (DC) IPs for two areas-forest controllers, authentication fails on the first domain controller, if the user is a different domain (check does not reach the second DC IP to verify the user). The error I get:

  ERROR: failed to bind: Invalid credentials, 80090308: LdapErr: IDDM-0C0903A9, comment: AcceptSecurityContext error, 52nd data, v1db0: [email protected] host = 192.168.0.1.

  [email protected] - 1 user
  192.168.0.1 - foret2 DC IP

  Does IDARC support AD authentication for users of forest separated couple?

  Thank you

  iDRAC do not support authentication Active Directory for the domain of the unique forest.

• separate authentication and authorization for Active directory groups

  Hi all

  After a long search and failure, I write the question.

  I use apex oracle 4.2 on windows server 2012 on oracle 12 c, all 64 bits.

  We have configured Microsoft Active directory with LDAP.

  in LDAP, we have a core group which is say A and an is down there students and the two groups.

  According to the staff, there are many other groups and students, there are a lot of groups.

  I created a mobile application, it has a main page that is publicly accessible without username and password.

  in this home page, I have a list that contains two elements, personnel and another is a student.

  When one of the list item, the login screen appears.

  now I want to control when the user clicks on the staff list, only personnel should be authenticated.

  If the end user is a student, it doesn't have to be authenticated.

  the same goes for the student list item, if the end-user click on list of students, only students must be authenticated.

  someone please guide me, I'm failed in research and testing.

  Thank you.

  Kind regards.

  Hi Maahjoor,

  Try this (it is written all the attributes for the user) by logging in to your schema to SQL Developer:

  DECLARE
  
    -- Adjust as necessary.
    l_ldap_host    VARCHAR2(256) := 'hct.org';
    l_ldap_port    VARCHAR2(256) := '389';
    l_ldap_user    VARCHAR2(256) := 'cn=hct\itnew';
    l_ldap_passwd  VARCHAR2(256) := 'itnew';
    l_ldap_base    VARCHAR2(256) := 'DC=hct,DC=org';
  
    l_retval       PLS_INTEGER;
    l_session      DBMS_LDAP.session;
    l_attrs        DBMS_LDAP.string_collection;
    l_message      DBMS_LDAP.message;
    l_entry        DBMS_LDAP.message;
    l_attr_name    VARCHAR2(256);
    l_ber_element  DBMS_LDAP.ber_element;
    l_vals         DBMS_LDAP.string_collection;
  
  BEGIN
  
    -- Choose to raise exceptions.
    DBMS_LDAP.USE_EXCEPTION := TRUE;
  
    -- Connect to the LDAP server.
    l_session := DBMS_LDAP.init(hostname => l_ldap_host,
                                portnum  => l_ldap_port);
  
    l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,
                                        dn     => l_ldap_user||','||l_ldap_base,
                                        passwd => l_ldap_passwd);
  
    -- Get all attributes
    l_attrs(1) := '*'; -- retrieve all attributes
    l_retval := DBMS_LDAP.search_s(ld       => l_session,
                                   base     => l_ldap_base,
                                   scope    => DBMS_LDAP.SCOPE_SUBTREE,
                                   filter   => l_ldap_user,
                                   attrs    => l_attrs,
                                   attronly => 0,
                                   res      => l_message);
  
    IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
      -- Get all the entries returned by our search.
      l_entry := DBMS_LDAP.first_entry(ld  => l_session,
                                       msg => l_message);
  
      << entry_loop >>
      WHILE l_entry IS NOT NULL LOOP
        -- Get all the attributes for this entry.
        DBMS_OUTPUT.PUT_LINE('---------------------------------------');
        l_attr_name := DBMS_LDAP.first_attribute(ld        => l_session,
                                                 ldapentry => l_entry,
                                                 ber_elem  => l_ber_element);
        << attributes_loop >>
        WHILE l_attr_name IS NOT NULL LOOP
          -- Get all the values for this attribute.
          l_vals := DBMS_LDAP.get_values (ld        => l_session,
                                          ldapentry => l_entry,
                                          attr      => l_attr_name);
          << values_loop >>
          FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
            DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
          END LOOP values_loop;
          l_attr_name := DBMS_LDAP.next_attribute(ld        => l_session,
                                                  ldapentry => l_entry,
                                                  ber_elem  => l_ber_element);
        END LOOP attibutes_loop;
        l_entry := DBMS_LDAP.next_entry(ld  => l_session,
                                        msg => l_entry);
      END LOOP entry_loop;
    END IF;
  
    -- Disconnect from the LDAP server.
    l_retval := DBMS_LDAP.unbind_s(ld => l_session);
    DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
  
  END;
  /
  

  NOTE: The DN parameter on line 29 requires exact unique name for the user. In addition, on line 37 to filter, you can use username i.e. "cn = firstname.lastname."

  You can specify a specific attribute must be extracted from the user in order by changing line 33 of the:

  l_attrs(1) := '*';
  

  TO

  l_attrs(1) := 'title';
  

  Then you can write a function based on above the code to extract the attribute LDAP user as follows:

  create or replace function fnc_get_ldap_user_attr_val ( p_username in varchar2
                                                        , p_password in varchar2
                                                        , p_attrname in varchar2 )
  return varchar2
  as
  
    -- Adjust as necessary.
    l_ldap_host    VARCHAR2(256) := 'hct.org';
    l_ldap_port    VARCHAR2(256) := '389';
    l_ldap_user    VARCHAR2(256) := 'cn='||p_username;
    l_ldap_passwd  VARCHAR2(256) := p_password;
    l_ldap_base    VARCHAR2(256) := 'DC=hct,DC=org';
  
    l_retval       PLS_INTEGER;
    l_session      DBMS_LDAP.session;
    l_attrs        DBMS_LDAP.string_collection;
    l_message      DBMS_LDAP.message;
    l_entry        DBMS_LDAP.message;
    l_attr_name    VARCHAR2(256);
    l_attr_value   VARCHAR2(256);
    l_ber_element  DBMS_LDAP.ber_element;
    l_vals         DBMS_LDAP.string_collection;
  
  BEGIN
  
    -- Choose to raise exceptions.
    DBMS_LDAP.USE_EXCEPTION := TRUE;
  
    -- Connect to the LDAP server.
    l_session := DBMS_LDAP.init(hostname => l_ldap_host,
                                portnum  => l_ldap_port);
  
    l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,
                                        dn     => l_ldap_user||','||l_ldap_base,
                                        passwd => l_ldap_passwd);
  
    -- Get specific attributes
    l_attrs(1) := p_attrname;
    l_retval := DBMS_LDAP.search_s(ld       => l_session,
                                   base     => l_ldap_base,
                                   scope    => DBMS_LDAP.SCOPE_SUBTREE,
                                   filter   => l_ldap_user,
                                   attrs    => l_attrs,
                                   attronly => 0,
                                   res      => l_message);
  
    IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
      -- Get all the entries returned by our search.
      l_entry := DBMS_LDAP.first_entry(ld  => l_session,
                                       msg => l_message);
  
      << entry_loop >>
      WHILE l_entry IS NOT NULL LOOP
        -- Get all the attributes for this entry.
        DBMS_OUTPUT.PUT_LINE('---------------------------------------');
        l_attr_name := DBMS_LDAP.first_attribute(ld        => l_session,
                                                 ldapentry => l_entry,
                                                 ber_elem  => l_ber_element);
        << attributes_loop >>
        WHILE l_attr_name IS NOT NULL LOOP
          -- Get all the values for this attribute.
          l_vals := DBMS_LDAP.get_values (ld        => l_session,
                                          ldapentry => l_entry,
                                          attr      => l_attr_name);
          << values_loop >>
          FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
            DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
            l_attr_value := l_vals(i);
          END LOOP values_loop;
          l_attr_name := DBMS_LDAP.next_attribute(ld        => l_session,
                                                  ldapentry => l_entry,
                                                  ber_elem  => l_ber_element);
        END LOOP attibutes_loop;
        l_entry := DBMS_LDAP.next_entry(ld  => l_session,
                                        msg => l_entry);
      END LOOP entry_loop;
    END IF;
  
    -- Disconnect from the LDAP server.
    l_retval := DBMS_LDAP.unbind_s(ld => l_session);
    DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
    DBMS_OUTPUT.PUT_LINE('Attribute value: ' || l_attr_value);
  
    return l_attr_value;
  
  END fnc_get_ldap_user_attr_val;
  /
  

  Then create an Application AI_USER_AD_TITLE tell you item request-> shared components.

  Create following procedure to define the point of application on the connection of the user in your APEX application:

  create or replace procedure ldap_post_auth
  as
  
    l_attr_value varchar2(512):
  
  begin
  
    l_attr_value := fnc_get_ldap_user_attr_val ( p_username => apex_util.get_session_state('P101_USERNAME')
                                               , p_password => apex_util.get_session_state('P101_PASSWORD')
                                               , p_attrname => 'title' );
  
    apex_util.set_session_state('AI_USER_AD_TITLE', l_attr_value);
  
  end ldap_post_auth;
  

  Change the "name of procedure after authentication' in your 'ldap_post_auth' authentication scheme

  Then modify the process in charge on your homepage to your application of PORTALS to:

  begin
  
      if :AI_USER_AD_TITLE = 'Student' then
          apex_util.redirect_url(p_url=>'f?p=114:1');
      else
          apex_util.redirect_url(p_url=>'f?p=113:1');
      end if;
  
  end;
  

  I hope this helps!

  Kind regards

  Kiran

• WebLogic with problem supplier Active Directory Authentication: &lt; DN for user...: null &gt;

  I have a java application (SSO via SAML2) using Weblogic as an identity provider. Everything works fine using created users directly in Weblogic. However, I need to add support for Active Directory. Thus, according to the documents:

  -J' set an Active Directory authentication provider

  -changed it's order in the list of authentication providers so that it is first

  -l' control indicator value SUFFICIENT and configured the specific provider; Here's the part concerned in the config.xml file:

  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  
  
  

  I configured an instance of AD LDS (Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created the users and a user admin "tadmin" that has been added to the members directors. I've also made sure to set the msDS-UserAccountDisabled property.

  After the restart Weblogic, I see that users and groups in AD LDS are properly recovered in Weblogic. But, when I try to connect to my application using Username:tadmin and the password: <>... it doesn't.

  Here's what I see in the log file:

  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  
  
  

  So, I tried to watch why did I: < DN for user tadmin: null >. The Apache Directory Studio I have reproduced the ldap search request used in Weblogic, and of course, I get no results. But, change filter only "(& (cn = tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; Here is the result of Apache Directory Studio:

  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  
  
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  
  
  

  (the "[email protected]" is defined as userPrincipalName in the tadmin on AD LDS user)

  As you can see, ' numEntries #: 1 "(and I can see as a result the entry ' CN = tadmin, CN = wl, DC = in, DC = com ' in Apache Directory Studio interface); If I add the userAccountControl filter I get 0.

  I read the AD LDS does not use userAccountControl but "uses several individual attributes to store the information contained in the userAccountControl attribute flags"; Among these attributes is msDS-UserAccountDisabled, which, as I said, I already have the value FALSE.

  So, my question is, how do I run? Why do I get "< DN for user tadmin: null >"? What is the userAccountControl? If this is the case, should I do a different configuration on my AD LDS? Or, how can I get rid of the userAccountControl filter into Weblogic?

  I don't seem to find the configuration files or in the interface: I don't have that "user of the name filter: (& (cn = %u)(objectclass=user))", there is no userAccountControl.»

  Another difference is that, even if in Weblogic, I put compatible ssl false flag, the newspaper I see ldaps and ldap, I noticed (I don't mean to install something ready for production and I don't want SSL for the moment).

  Here are some other things I tried, but doesn't change anything:

  -other attributes '-FS' were not resolved, so I tried their initialization to a value

  -J' tried other users defined in AD LDS, not tadmin

  -in Weblogic, I added users who were imported from AD LDS into the policies and roles > Kingdom roles > Global roles > roles > Admin

  -J' removed all occurrences of userAccountControl I found xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)

  Any thoughts?

  Thank you.

  In the case of some other poor soul will fall on this issue: I did this job by configuring a generic ldap authenticator.

  See also:

  Re: could not connect to the WLS console with the user of the directory