WebLogic with problem supplier Active Directory Authentication: < DN for user...: null >
I have a java application (SSO via SAML2) using Weblogic as an identity provider. Everything works fine using created users directly in Weblogic. However, I need to add support for Active Directory. Thus, according to the documents:
-J' set an Active Directory authentication provider
-changed it's order in the list of authentication providers so that it is first
-l' control indicator value SUFFICIENT and configured the specific provider; Here's the part concerned in the config.xml file:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MyOwnADAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
<wls:host>10.20.150.4</wls:host>
<wls:port>5000</wls:port>
<wls:ssl-enabled>false</wls:ssl-enabled>
<wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
<wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
<wls:cache-enabled>false</wls:cache-enabled>
<wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured an instance of AD LDS (Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created the users and a user admin "tadmin" that has been added to the members directors. I've also made sure to set the msDS-UserAccountDisabled property.
After the restart Weblogic, I see that users and groups in AD LDS are properly recovered in Weblogic. But, when I try to connect to my application using Username:tadmin and the password: <>... it doesn't.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to watch why did I: < DN for user tadmin: null >. The Apache Directory Studio I have reproduced the ldap search request used in Weblogic, and of course, I get no results. But, change filter only "(& (cn = tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; Here is the result of Apache Directory Studio:
#!SEARCH REQUEST (145) OK #!CONNECTION ldap://10.20.150.4:5000 #!DATE 2014-01-23T14:52:09.324 # LDAP URL : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user)) # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass" # baseObject : CN=wl,DC=at,DC=com # scope : wholeSubtree (2) # derefAliases : derefAlways (3) # sizeLimit : 1000 # timeLimit : 0 # typesOnly : False # filter : (&(cn=tadmin)(objectclass=user)) # attributes : objectClass #!SEARCH RESULT DONE (145) OK #!CONNECTION ldap://10.20.150.4:5000 #!DATE 2014-01-23T14:52:09.356 # numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin on AD LDS user)
As you can see, ' numEntries #: 1 "(and I can see as a result the entry ' CN = tadmin, CN = wl, DC = in, DC = com ' in Apache Directory Studio interface); If I add the userAccountControl filter I get 0.
I read the AD LDS does not use userAccountControl but "uses several individual attributes to store the information contained in the userAccountControl attribute flags"; Among these attributes is msDS-UserAccountDisabled, which, as I said, I already have the value FALSE.
So, my question is, how do I run? Why do I get "< DN for user tadmin: null >"? What is the userAccountControl? If this is the case, should I do a different configuration on my AD LDS? Or, how can I get rid of the userAccountControl filter into Weblogic?
I don't seem to find the configuration files or in the interface: I don't have that "user of the name filter: (& (cn = %u)(objectclass=user))", there is no userAccountControl.»
Another difference is that, even if in Weblogic, I put compatible ssl false flag, the newspaper I see ldaps and ldap, I noticed (I don't mean to install something ready for production and I don't want SSL for the moment).
Here are some other things I tried, but doesn't change anything:
-other attributes '-FS' were not resolved, so I tried their initialization to a value
-J' tried other users defined in AD LDS, not tadmin
-in Weblogic, I added users who were imported from AD LDS into the policies and roles > Kingdom roles > Global roles > roles > Admin
-J' removed all occurrences of userAccountControl I found xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thank you.
In the case of some other poor soul will fall on this issue: I did this job by configuring a generic ldap authenticator.
See also: Re: could not connect to the WLS console with the user of the directory
Tags: Fusion Middleware
Similar Questions
-
I have two running Windows Storage Server 2003 storage servers in a domain R2 Windows Server 2008 Standard. On top of the Active Directory authentication, I want to add authentication of MAC address for the access to one of the storage servers. In this scenario, an authenticated user is unable to log on to the target storage server unless the user is also on one of the computers MAC address accepted. All domain users will have access to other folders and files as configuration storage server in Active Directory. I already have a user access to installation by the permissions for folders on the storage server target, but I still want to restrict access to specific computers as well. For what it's worth the server hardware is HP Proliant DL360 G5 for the Standard Server 2008 R2 and server HP Proliant DL185 G5 for two Storage Server 2003 computers. I don't want to have MAC address authentication as the main means of access control to the network, only for the storage server a as an addition to control Active Directory.
Hi Kerry,
The question you posted would be better suited in the TechNet Server Forums since we have dedicated to this support; We recommend that you post your question in the TechNet Forums to get help:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer
Keep us informed on the status of the issue.
-
An error occurred when DNS was questioned about the resource record (SRV) service location used to locate a domain controller Active Directory (AD DC) for the domain 'HAMI. LOCAL ".
The error was: "an existing connection was to be closed by the remote host".
(0 x 00002746 WSAECONNRESET error code)The query was for the SRV record for _ldap._tcp.dc._msdcs. HAMI. LOCAL
Hello
Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Forums TechNet Windows 7 Technet.
Here is the link:
http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threadsHope this helps
-
Continuation with VIO and Active Directory reference error
While deploying the instance OpenStack de VIO, I get the following error message when checking the parameters of authentication source:
Cannot find the specified user (Group). Details: The LDAP search request failed. Further reference
This seems to be a problem, I met several times, where AD would send a reference instead of the response that the client must follow. But I don't see any option to allow removal with Active Directory. Is there a way around this?
Concerning
Gerald
I found a work around for the problem:
The query is successful when you use the ports for the Active Directory Global catalog.
The ports are:
- 3268 (without encryption)
or
- 3269 (with SSL)
Disadvantage: You can't just use your do domain name address all the domain controller, you must specify one with its host name.
-
Active Directory authentication via host profile
I am trying to use apply a profile host through powershell script that will add an esxi host to my domain active directory.
$vCenter = Read-Host "Enter vCenter.
$esxhost = Read-Host "enter the domain the ESXi host's FULL name.
$ADdomaincreds = $host.ui.PromptForCredential ("Enter Credentials", "Please enter your user name Active Directory and password.", "", "")
$hostprofile = Read-Host "Enter HostProfile to apply"
SECURESTRING #CONVERT
$CONVERT_AD_PASSWORD = http://System.Runtime.InteropServices.Marshal: SecureStringToBSTR($ADdomaincreds.Password)
$AD_PASSWORD = http://System.Runtime.InteropServices.Marshal: name ($CONVERT_AD_PASSWORD)
SE connect-VIServer $vCenter
$hostprof = get-VMHostprofile-name $hostprofile
$applyhost = get-VMHost $esxhost
Game-VMHost - VMHost $applyhost - State "maintenance".
$additionalConfiguration = apply-VMHostProfile - ApplyOnly - $hostprof profile-entity $applyhost - confirm: $false
$additionalConfiguration = $ADdomaincreds.username
$additionalConfiguration = $AD_PASSWORD
$additionalConfiguration = apply VMHostProfile - $hostprof profile-entity $applyhost - Variable $additionalConfiguration - confirm: $false
It runs without error, but when I look at the esxi host he always says that he uses local authentication. If I apply the host through the VI Client profile, it works without problem. Is this what I need to put in the variable?
I also tried using the Set-VMHostADDomain of LucD function. This works, however, if I then apply the profile of my host to complete the configuration of the other components such as syslog, ntp, etc., authentication gets restore local authentication after a reboot.
Hello
There is a bug in the Apply-VMHostProfile cmdlet that is already filed in our bugtracking system. The fix will be available in a future release.
The problem is caused by using an incorrect version of the API (4.0) which is not taken in charge of operations active directory.
Here are possible solutions:
1. join the domain without using the host profile feature. Here's a simple script that can do for you:
function JoinDomainWithAD ($vmhost, $domainName, $domainUser, $domainPassword) { $vmhostView = Get-View -id $vmhost.ID $authenticationManagerView = Get-View $vmhostView.ConfigManager.AuthenticationManager $hostActiveDirectoryAuthenticationMoRef = $authenticationManagerView.SupportedStore | where { $_.Type -eq 'HostActiveDirectoryAuthentication' } $hostActiveDirectoryAuthentication = Get-View $hostActiveDirectoryAuthenticationMoRef $hostActiveDirectoryAuthentication.JoinDomain($domainName, $domainUser, $domainPassword) }2. apply the solution profiles host with direct API calls (Get-View)
Let me know if you need anything that anyone else.
Kind regards
Nedko Nedev
PowerCLI development team
-
Active Directory virtualization - security for AD VMDK
Hello
I'm an Active Directory server virtualization project manager. Currently, they are all physical, and my approach is to build virtual computers costs running 64-bit Windows 2003 R2 with sufficient storage space and disk. The actual creation of the VM is not a problem. But what is a problem for our security people and AD ops team is to protect the vmdk and associated files.
The current VSI (Virtual Server Infrastructure) has each computer virtual using a LUN for the OS disk (c :)) drive and another logic unit number for the Page file/temp files.) Data files are also placed on a separate logical unit number. Now, the question arises since all virtual machines for a single blade (host ESX, BL685 HP) server are placed on the same logical unit number, there will be a mixture of files of the type of server (apps, SQLs, ads, etc.) in the data store. This means that C readers for all the virtual machines on this blade are running under the same security policy.
If lock us the data store for the people of AD and other approved people, then the people to support normal ops (in another country) do not receive access to files. Only the AD team has right of ads and domain controllers, so I will try to reproduce this security model.
So my idea is to have specific data only for ads stores; provide one for the C: drive (SysVol, etc.) and the other for Page files. Then I can lock these and let others to their current level of security.
Does this sound logical? Feasible? Prefferable?
That others make about it? Or is it overkill?
Thank you very much
Mark-Allen
My guess is that only the AD team would never start/stop/etc a virtual machine, then maybe that's possible.
You can create a custom role on your permission vcenter and delegete for some users, who will not have access to certain virtual machines!
-
Authentication failed for users of the AD and work for users of OID using OAM 11 G
Hi all
I have deployed an Application in OSH where the doors of the web are installed. In OAM 11 G, I created the Userid as OVD store and created policies for that. and I was able to protect the application.
But authentication works very well for users of the OID. But does not not for users of the AD (saying ID user and password are incorrect)
Part of the OID, AD with TPM. but the AD authentication does not work.
could someone help me with this.
Thank you
KiranHi Kiran,
Check that the name attribute of such user as defined in the Data Source is mapped in TPM attribute AD that you plan to hold the user name. Perhaps, it is use usrprincipalname instead of the samaccountname, or something like that? The oam_server1 - diagnostic.log, or newspapers OVD, may give more clues as to which is the problem.
Kind regards
Colin -
Meraki and Active Directory authentication
Hello
I have two remote sites, each with 5 users and pc. Instead of Site2Site VPN, I want to use Meraki, but want to ensure that users always authenticate with my ad.
The domain controller is AWS.
What is the process to put in place what and what is the communicati0n arise when a user enters their cred to ad authentication?
Thanks in advance.
https://Meraki.Cisco.com/blog/2014/11/now-in-the-MX-greater-flexibility-...
-
Sharing of active command not available for users
I searched all day for some reason why my non-admin in Contribute 3 users can't insert images via the Insert-> option of Division of property. The command is dimmed. Their role permissions have "authorize unlimited edition", so I can't understand why they would be excluded from this shared good feature. I REALLY want to give these users full administrator privileges. They become tired to rerun new connection key everytime I try to chance a new setting. Any help would be greatly appreciated.It seems that by disabling the ability of the user to insert images (with the exception of shared property) is the way to go. As long as an administrator I was spoiled as I can insert images any way I chose (insert--> images, cut-and - paste and shared property). As a normal user, it's one or the other, either shared assets or Insert--> Images, not both.
So in order to give users the ability to access shared property, you must go and set "Allow unrestricted editing" then check the option 'prevent users to insert images. After that they activate the connection key it then only allows them to insert images in active sharing feature.
-
We work on IE9, need to upgrade version of IE. But before that must confirm, that it is compatible with IE10 or not.
2743880 wrote:
Please update your forum profile with a real handle instead of '2743880 '.
We work on IE9, need to upgrade version of IE. But before that must confirm, that it is compatible with IE10 or not.
Oracle do not publish the detailed browser compatibility requirements. The basic requirements are covered in the documentation.
Tests in the new version of browser applications are necessary to ensure compatibility. Test should focus on the components of the nonstandard application (such as plugins, themes, existing or custom and models and third-party JavaScript libraries) and the browser features such as compatibility and security modes.
-
Problem with Active Directory and the NAC
Hello.
Please I need help.
I have my server with the "Active Directory SSO" began, but when a user tries to connect to the network with its credentials in Active Directory, the PC agent say that 'Invalid username and password.
My server is tuned by the 8910 port.
I conectivity with CBS and active directory.
kpass command runs successfully.
Thks.
Jorge,
If the service is running, then you must put emphasis on the communication client/AD and see where the break occurs.
Can you ensure that the unauthenticated role, you have all the required TCP/UDP ports open, and ICMP and IP FRAGMENTS to all your domain controllers?
HTH,
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
Hi all
I'm trying to configure OBIEE 11 g to use the MSAD (Active Directory) authentication. I followed the instructions of Configuration Oracle BI with Oracle Internet Directory , but after a restart all services, I do not get connect OBIEE. I've hearded that there is a bug in this version (11.1.1.7.0) when you rearrange the suppliers and put the new (that you created) as the frist, followed by DefaultAuthenticator and DefaultIdentityAsserter providers.
Someone had this problem? How to resolve that? Is there a URL or DocID teach how this is set correctly?
Thanks in advance,
Concerning
is even if you have 10 k + users it will show only 1000, this is the limitation, but you can still find the users from the top by clicking on customize the table, it options you give the criteria in filter and view display, you can select the column by which you can search for example: by using the name or description, or Provider(AD or Default) in this path , you can search for specific users you want to see or Alvaro * so it will give u the list whose name start with Alvaro
I hope it helps brand if not
-
Active Directory for authentication - authorization database
Hello
I searched a lot but could not find a way to work to do and I have Weblogic Server 10.3.4. My problem is; I currently have an Authenticator SQL read-only which validates the name of user and password and he also holds a group membership of those users. Thus, the when users are connected to our Flex application, they are authenticated and authorized through this security provider. Now, I want to * move the part name validation of username/password to Active Directory * and group membership and other roles etc will stay in the read-only SQL authenticator. To do this, I added the second security provider to my Kingdom which is Active Directory Authenticator, but right now because users are authenticated via Active Directory roles, the etc group memberships do not come to the user, resulting in not to be able to call EJB.
So my question is, How can I manipulate simply authenticate users to Active Directory and other parties (roles, groups) of database (in the database I don't store the password more meaningless it longer)? Do I have to write a custom provider to do this, if this is the case can show you a way to work from the merger of two suppliers of security?
Thank you.Yes, you will need to create a security provider for this.
-Faisal
http://www.WebLogic-wonders.com -
Active Directory and the Source of data in Application Weblogic
Hello
I was asked to find a way to record information of users created via Active Directory in my datasource request so my application can control if the user as authorization.
My application, services to extract the data and the data source will be in the weblogic.
What I found so far that there was to be a supplier Active Directory in the weblogic for authentication, and it will work similar to the SQL provider, put all the users and groups in the weblogic.
Basically which, according to me, I have to do is create something (service or DB package function perhaps) that will allow to establish synchronization between the two AD and my database somehow.
How I can do it, or there is an easier way to do it?
Thank you
Hello
Yes, that is what I suggested in my initial post. In some scenarios, I also use JAVA API for details of user AD and works pretty well.
Thank you
Amey
-
Client pix VPN how to authenticate with Active Directory
Hi all, I've just set up my first Client VPN on a Cisco PIX. Everything works very well so that hitting the correct subnet and logon. However, I would like to see how I can get my connection of remote users with there active directory accounts. Right now I use the local connection for the pix for testing purposes. Sounds easy, but I'm missing something
We use:
Cisco Pix 515E version 6.3 (3)
Thank you
Dan
Unfortunately the PIX 6.3.3 version does not support Active Directory authentication. V6.3.3 PIX only supports authentication to the server database, radius, and Ganymede local PIX.
If you want to authenticate to active directory, it is support for PIX v7.x go.
Here are the different types of authentication support for PIX v7.x leave for your reference:
http://www.Cisco.com/en/us/docs/security/ASA/asa70/configuration/guide/AAA.html
Hope that answers your question.
Maybe you are looking for
-
iPhone 6 9.0.2 locked with Apple ID and I don't know it can help you to do this?
iPhone 6 9.0.2 locked with Apple ID and I don't know it can help you to do this?
-
Is it possible to add an icon to a control of the enum?
Hi all. I know that it is possible to customize controls, for example, you can add an icon (stickers) to a button: http://www.NI.com/Tutorial/14131/en/ Is it possible to add an icon/decal to a control of the enum? Or do I me XControls for this? Thank
-
8.1 black Screen of Death... again!
For the 5th time, I tried to upgrade to 8.0 8.1 Windows and once again... THE DEAD BLACK SCREEN. I make sure all my programs and applications are compatible. I tried with and without the enhanced video on upgrading. And about 100 other "try this" f
-
How to record a little complex data in json?
Hi all I want to use json to store complex data a bit. I checked the sample application code. It's too simple. The data are as follows: { 'day': 'ddd ',. 'type': 'xxx ',. 'name': "qqq" "amandine":] {'name': 'sss', 'set': 'ddd', 'time': 'ddd'}, {'name
-
I have a laptop Windows 7 Pro and I am trying to replicate my screen LCD 46 '' in portrait mode!
I have a laptop connected to a 46 "LCD LG which is in portrait mode. I would like to be able to use both screens in landscape and portrait, and show the same thing on both screens. It was set up in this way some how before? Don't know how the gent