Spring Boot Microsoft AD Authentication












0















I know little about Spring Boot and even less about Active Directory.



I need to Authenticate against Microsoft Active Directory using Spring Boot and JWT. I have working JWT with user from memory but i am having trouble authenticating against user from Microsoft AD.



Microsoft AD setup:




  • Active Directory is running on Windows Server 2012r2 (192.168.1.166).


  • AD users.


  • AD user property.


Spring Boot app is running on: 192.168.1.31:8082

Spring Boot config:



import com.mts.oh.config.cors.SimpleCORSFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import java.util.Arrays;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private SimpleCORSFilter myCorsFilter;

@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;

@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(myCorsFilter, ChannelProcessingFilter.class).
csrf().disable().
exceptionHandling().authenticationEntryPoint(unauthorizedHandler).
and().
authorizeRequests().
antMatchers(HttpMethod.POST, "/api/login").permitAll().
anyRequest().authenticated().
and().
addFilterBefore(new LoginInterceptor("/api/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class).
addFilterBefore(new JwtInterceptor(), UsernamePasswordAuthenticationFilter.class);
}

@Override
protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
authManagerBuilder.authenticationProvider(activeDirectoryLdapAuthenticationProvider()).userDetailsService(userDetailsService());
}

@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
}

@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("bmad.com",
"ldap://192.168.1.166:389/DC=bmad,DC=com");
provider.setSearchFilter("OU=devs,OU=employees");
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);

return provider;
}
}


Login endpoint is: /api/login.
Postman request:





  • Login Request Body

  • Login Request Headers


Stack Trace:



> rg.springframework.security.authentication.BadCredentialsException:
> Bad credentials
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:295)
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:300)
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:267)
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.handleBindException(ActiveDirectoryLdapAuthenticationProvider.java:233)
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:208)
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:144)
> at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> at com.mts.oh.config.security.LoginInterceptor.attemptAuthentication(LoginInterceptor.java:28)
> at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at com.mts.oh.config.cors.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:32)
> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.mts.oh.config.cors.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:32)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
> at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457)
> at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.springframework.security.ldap.authentication.ad.ActiveDirectoryAuthenticationException:
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment:
> AcceptSecurityContext error, data 773, v2580 ]
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:250)
> ... 61 common frames omitted
> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext
> error, data 773, v2580 ]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
> at javax.naming.InitialContext.init(InitialContext.java:244)
> at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider$ContextFactory.createContext(ActiveDirectoryLdapAuthenticationProvider.java:402)
> at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:203)
> ... 59 common frames omitted


I have tried different combinations of username and password but none of them work:




  • John Doe / ****

  • johnupn / ****

  • johnupn@bmad.com / ****

  • bmadjohnupn / ****


I have picked up Spring Boot configuration from:
https://medium.com/@dmarko484/spring-boot-active-directory-authentication-5ea04969f220

and
https://www.ziaconsulting.com/developer-help/spring-security-active-directory/

but these do not work for me.










share|improve this question



























    0















    I know little about Spring Boot and even less about Active Directory.



    I need to Authenticate against Microsoft Active Directory using Spring Boot and JWT. I have working JWT with user from memory but i am having trouble authenticating against user from Microsoft AD.



    Microsoft AD setup:




    • Active Directory is running on Windows Server 2012r2 (192.168.1.166).


    • AD users.


    • AD user property.


    Spring Boot app is running on: 192.168.1.31:8082

    Spring Boot config:



    import com.mts.oh.config.cors.SimpleCORSFilter;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.http.HttpMethod;
    import org.springframework.security.authentication.AuthenticationManager;
    import org.springframework.security.authentication.AuthenticationProvider;
    import org.springframework.security.authentication.ProviderManager;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
    import org.springframework.security.web.access.channel.ChannelProcessingFilter;
    import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

    import java.util.Arrays;

    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private SimpleCORSFilter myCorsFilter;

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.addFilterBefore(myCorsFilter, ChannelProcessingFilter.class).
    csrf().disable().
    exceptionHandling().authenticationEntryPoint(unauthorizedHandler).
    and().
    authorizeRequests().
    antMatchers(HttpMethod.POST, "/api/login").permitAll().
    anyRequest().authenticated().
    and().
    addFilterBefore(new LoginInterceptor("/api/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class).
    addFilterBefore(new JwtInterceptor(), UsernamePasswordAuthenticationFilter.class);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
    authManagerBuilder.authenticationProvider(activeDirectoryLdapAuthenticationProvider()).userDetailsService(userDetailsService());
    }

    @Bean
    public AuthenticationManager authenticationManager() {
    return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
    }

    @Bean
    public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
    ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("bmad.com",
    "ldap://192.168.1.166:389/DC=bmad,DC=com");
    provider.setSearchFilter("OU=devs,OU=employees");
    provider.setConvertSubErrorCodesToExceptions(true);
    provider.setUseAuthenticationRequestCredentials(true);

    return provider;
    }
    }


    Login endpoint is: /api/login.
    Postman request:





    • Login Request Body

    • Login Request Headers


    Stack Trace:



    > rg.springframework.security.authentication.BadCredentialsException:
    > Bad credentials
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:295)
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:300)
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:267)
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.handleBindException(ActiveDirectoryLdapAuthenticationProvider.java:233)
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:208)
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:144)
    > at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
    > at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
    > at com.mts.oh.config.security.LoginInterceptor.attemptAuthentication(LoginInterceptor.java:28)
    > at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    > at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
    > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    > at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    > at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    > at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
    > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    > at com.mts.oh.config.cors.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:32)
    > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    > at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
    > at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
    > at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    > at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    > at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
    > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    > at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108)
    > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    > at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
    > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    > at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
    > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    > at com.mts.oh.config.cors.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:32)
    > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
    > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
    > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    > at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
    > at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    > at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
    > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457)
    > at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    > at java.lang.Thread.run(Thread.java:748)
    > Caused by: org.springframework.security.ldap.authentication.ad.ActiveDirectoryAuthenticationException:
    > [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment:
    > AcceptSecurityContext error, data 773, v2580 ]
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:250)
    > ... 61 common frames omitted
    > Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext
    > error, data 773, v2580 ]
    > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
    > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
    > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
    > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
    > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    > at javax.naming.InitialContext.init(InitialContext.java:244)
    > at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider$ContextFactory.createContext(ActiveDirectoryLdapAuthenticationProvider.java:402)
    > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:203)
    > ... 59 common frames omitted


    I have tried different combinations of username and password but none of them work:




    • John Doe / ****

    • johnupn / ****

    • johnupn@bmad.com / ****

    • bmadjohnupn / ****


    I have picked up Spring Boot configuration from:
    https://medium.com/@dmarko484/spring-boot-active-directory-authentication-5ea04969f220

    and
    https://www.ziaconsulting.com/developer-help/spring-security-active-directory/

    but these do not work for me.










    share|improve this question

























      0












      0








      0








      I know little about Spring Boot and even less about Active Directory.



      I need to Authenticate against Microsoft Active Directory using Spring Boot and JWT. I have working JWT with user from memory but i am having trouble authenticating against user from Microsoft AD.



      Microsoft AD setup:




      • Active Directory is running on Windows Server 2012r2 (192.168.1.166).


      • AD users.


      • AD user property.


      Spring Boot app is running on: 192.168.1.31:8082

      Spring Boot config:



      import com.mts.oh.config.cors.SimpleCORSFilter;
      import org.springframework.beans.factory.annotation.Autowired;
      import org.springframework.context.annotation.Bean;
      import org.springframework.context.annotation.Configuration;
      import org.springframework.http.HttpMethod;
      import org.springframework.security.authentication.AuthenticationManager;
      import org.springframework.security.authentication.AuthenticationProvider;
      import org.springframework.security.authentication.ProviderManager;
      import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
      import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
      import org.springframework.security.config.annotation.web.builders.HttpSecurity;
      import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
      import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
      import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
      import org.springframework.security.web.access.channel.ChannelProcessingFilter;
      import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

      import java.util.Arrays;

      @Configuration
      @EnableWebSecurity
      @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
      public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

      @Autowired
      private SimpleCORSFilter myCorsFilter;

      @Autowired
      private JwtAuthenticationEntryPoint unauthorizedHandler;

      @Override
      protected void configure(HttpSecurity http) throws Exception {
      http.addFilterBefore(myCorsFilter, ChannelProcessingFilter.class).
      csrf().disable().
      exceptionHandling().authenticationEntryPoint(unauthorizedHandler).
      and().
      authorizeRequests().
      antMatchers(HttpMethod.POST, "/api/login").permitAll().
      anyRequest().authenticated().
      and().
      addFilterBefore(new LoginInterceptor("/api/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class).
      addFilterBefore(new JwtInterceptor(), UsernamePasswordAuthenticationFilter.class);
      }

      @Override
      protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
      authManagerBuilder.authenticationProvider(activeDirectoryLdapAuthenticationProvider()).userDetailsService(userDetailsService());
      }

      @Bean
      public AuthenticationManager authenticationManager() {
      return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
      }

      @Bean
      public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
      ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("bmad.com",
      "ldap://192.168.1.166:389/DC=bmad,DC=com");
      provider.setSearchFilter("OU=devs,OU=employees");
      provider.setConvertSubErrorCodesToExceptions(true);
      provider.setUseAuthenticationRequestCredentials(true);

      return provider;
      }
      }


      Login endpoint is: /api/login.
      Postman request:





      • Login Request Body

      • Login Request Headers


      Stack Trace:



      > rg.springframework.security.authentication.BadCredentialsException:
      > Bad credentials
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:295)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:300)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:267)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.handleBindException(ActiveDirectoryLdapAuthenticationProvider.java:233)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:208)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:144)
      > at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
      > at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
      > at com.mts.oh.config.security.LoginInterceptor.attemptAuthentication(LoginInterceptor.java:28)
      > at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at com.mts.oh.config.cors.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:32)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
      > at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
      > at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
      > at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at com.mts.oh.config.cors.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:32)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
      > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
      > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
      > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
      > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
      > at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
      > at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      > at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
      > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457)
      > at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      > at java.lang.Thread.run(Thread.java:748)
      > Caused by: org.springframework.security.ldap.authentication.ad.ActiveDirectoryAuthenticationException:
      > [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment:
      > AcceptSecurityContext error, data 773, v2580 ]
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:250)
      > ... 61 common frames omitted
      > Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext
      > error, data 773, v2580 ]
      > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
      > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
      > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
      > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
      > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
      > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
      > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
      > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
      > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
      > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
      > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
      > at javax.naming.InitialContext.init(InitialContext.java:244)
      > at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider$ContextFactory.createContext(ActiveDirectoryLdapAuthenticationProvider.java:402)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:203)
      > ... 59 common frames omitted


      I have tried different combinations of username and password but none of them work:




      • John Doe / ****

      • johnupn / ****

      • johnupn@bmad.com / ****

      • bmadjohnupn / ****


      I have picked up Spring Boot configuration from:
      https://medium.com/@dmarko484/spring-boot-active-directory-authentication-5ea04969f220

      and
      https://www.ziaconsulting.com/developer-help/spring-security-active-directory/

      but these do not work for me.










      share|improve this question














      I know little about Spring Boot and even less about Active Directory.



      I need to Authenticate against Microsoft Active Directory using Spring Boot and JWT. I have working JWT with user from memory but i am having trouble authenticating against user from Microsoft AD.



      Microsoft AD setup:




      • Active Directory is running on Windows Server 2012r2 (192.168.1.166).


      • AD users.


      • AD user property.


      Spring Boot app is running on: 192.168.1.31:8082

      Spring Boot config:



      import com.mts.oh.config.cors.SimpleCORSFilter;
      import org.springframework.beans.factory.annotation.Autowired;
      import org.springframework.context.annotation.Bean;
      import org.springframework.context.annotation.Configuration;
      import org.springframework.http.HttpMethod;
      import org.springframework.security.authentication.AuthenticationManager;
      import org.springframework.security.authentication.AuthenticationProvider;
      import org.springframework.security.authentication.ProviderManager;
      import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
      import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
      import org.springframework.security.config.annotation.web.builders.HttpSecurity;
      import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
      import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
      import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
      import org.springframework.security.web.access.channel.ChannelProcessingFilter;
      import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

      import java.util.Arrays;

      @Configuration
      @EnableWebSecurity
      @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
      public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

      @Autowired
      private SimpleCORSFilter myCorsFilter;

      @Autowired
      private JwtAuthenticationEntryPoint unauthorizedHandler;

      @Override
      protected void configure(HttpSecurity http) throws Exception {
      http.addFilterBefore(myCorsFilter, ChannelProcessingFilter.class).
      csrf().disable().
      exceptionHandling().authenticationEntryPoint(unauthorizedHandler).
      and().
      authorizeRequests().
      antMatchers(HttpMethod.POST, "/api/login").permitAll().
      anyRequest().authenticated().
      and().
      addFilterBefore(new LoginInterceptor("/api/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class).
      addFilterBefore(new JwtInterceptor(), UsernamePasswordAuthenticationFilter.class);
      }

      @Override
      protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
      authManagerBuilder.authenticationProvider(activeDirectoryLdapAuthenticationProvider()).userDetailsService(userDetailsService());
      }

      @Bean
      public AuthenticationManager authenticationManager() {
      return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
      }

      @Bean
      public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
      ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("bmad.com",
      "ldap://192.168.1.166:389/DC=bmad,DC=com");
      provider.setSearchFilter("OU=devs,OU=employees");
      provider.setConvertSubErrorCodesToExceptions(true);
      provider.setUseAuthenticationRequestCredentials(true);

      return provider;
      }
      }


      Login endpoint is: /api/login.
      Postman request:





      • Login Request Body

      • Login Request Headers


      Stack Trace:



      > rg.springframework.security.authentication.BadCredentialsException:
      > Bad credentials
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:295)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:300)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:267)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.handleBindException(ActiveDirectoryLdapAuthenticationProvider.java:233)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:208)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:144)
      > at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
      > at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
      > at com.mts.oh.config.security.LoginInterceptor.attemptAuthentication(LoginInterceptor.java:28)
      > at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at com.mts.oh.config.cors.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:32)
      > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
      > at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
      > at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
      > at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
      > at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
      > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at com.mts.oh.config.cors.SimpleCORSFilter.doFilter(SimpleCORSFilter.java:32)
      > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
      > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
      > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
      > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
      > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
      > at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
      > at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      > at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
      > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457)
      > at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      > at java.lang.Thread.run(Thread.java:748)
      > Caused by: org.springframework.security.ldap.authentication.ad.ActiveDirectoryAuthenticationException:
      > [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment:
      > AcceptSecurityContext error, data 773, v2580 ]
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:250)
      > ... 61 common frames omitted
      > Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext
      > error, data 773, v2580 ]
      > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
      > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
      > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
      > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
      > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
      > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
      > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
      > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
      > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
      > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
      > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
      > at javax.naming.InitialContext.init(InitialContext.java:244)
      > at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider$ContextFactory.createContext(ActiveDirectoryLdapAuthenticationProvider.java:402)
      > at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:203)
      > ... 59 common frames omitted


      I have tried different combinations of username and password but none of them work:




      • John Doe / ****

      • johnupn / ****

      • johnupn@bmad.com / ****

      • bmadjohnupn / ****


      I have picked up Spring Boot configuration from:
      https://medium.com/@dmarko484/spring-boot-active-directory-authentication-5ea04969f220

      and
      https://www.ziaconsulting.com/developer-help/spring-security-active-directory/

      but these do not work for me.







      java spring-boot spring-security active-directory






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 '18 at 9:34









      msforenter090msforenter090

      64




      64
























          1 Answer
          1






          active

          oldest

          votes


















          0














          From a computer logged into the domain, a user can find the values for their account using whoami. Below shows the commands to get a user's sAMAccountName, userPrincipalName, and fully qualified distinguished name respectively. Active Directory uses all three of these as the username when authenticating via LDAP.



          c:>whoami
          mydomainlisa

          c:>whoami /upn
          lisa@mydomain.ccTLD

          c:>whoami /fqdn
          CN=Smith, Lisa,OU=GPOTest,OU=IT,OU=Company,DC=mydomain,DC=ccTLD





          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53389999%2fspring-boot-microsoft-ad-authentication%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            From a computer logged into the domain, a user can find the values for their account using whoami. Below shows the commands to get a user's sAMAccountName, userPrincipalName, and fully qualified distinguished name respectively. Active Directory uses all three of these as the username when authenticating via LDAP.



            c:>whoami
            mydomainlisa

            c:>whoami /upn
            lisa@mydomain.ccTLD

            c:>whoami /fqdn
            CN=Smith, Lisa,OU=GPOTest,OU=IT,OU=Company,DC=mydomain,DC=ccTLD





            share|improve this answer




























              0














              From a computer logged into the domain, a user can find the values for their account using whoami. Below shows the commands to get a user's sAMAccountName, userPrincipalName, and fully qualified distinguished name respectively. Active Directory uses all three of these as the username when authenticating via LDAP.



              c:>whoami
              mydomainlisa

              c:>whoami /upn
              lisa@mydomain.ccTLD

              c:>whoami /fqdn
              CN=Smith, Lisa,OU=GPOTest,OU=IT,OU=Company,DC=mydomain,DC=ccTLD





              share|improve this answer


























                0












                0








                0







                From a computer logged into the domain, a user can find the values for their account using whoami. Below shows the commands to get a user's sAMAccountName, userPrincipalName, and fully qualified distinguished name respectively. Active Directory uses all three of these as the username when authenticating via LDAP.



                c:>whoami
                mydomainlisa

                c:>whoami /upn
                lisa@mydomain.ccTLD

                c:>whoami /fqdn
                CN=Smith, Lisa,OU=GPOTest,OU=IT,OU=Company,DC=mydomain,DC=ccTLD





                share|improve this answer













                From a computer logged into the domain, a user can find the values for their account using whoami. Below shows the commands to get a user's sAMAccountName, userPrincipalName, and fully qualified distinguished name respectively. Active Directory uses all three of these as the username when authenticating via LDAP.



                c:>whoami
                mydomainlisa

                c:>whoami /upn
                lisa@mydomain.ccTLD

                c:>whoami /fqdn
                CN=Smith, Lisa,OU=GPOTest,OU=IT,OU=Company,DC=mydomain,DC=ccTLD






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 4 '18 at 16:14









                LisaJLisaJ

                770313




                770313
































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53389999%2fspring-boot-microsoft-ad-authentication%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?

                    Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents