I have a problem with the synchronization of active directory groups with MDM,
The user/password is correct, it is marked so it never expires. Looking at the logs I see the following error:
2016/12/21 07:25:32.433 CSWAIRWZ11 8e66e0df-00a6-4997-a293-bccd713e430c [0000000-0000000] (52) Error WanderingWiFi.AirWatch.BusinessImpl.EnterpriseIntegrationHelper.SearchGroups Directory call failed. System.DirectoryServices.Protocols.LdapException:80090311: LdapErr: DSID-0C0905DE, comment: AcceptSecurityContext error, data 51f, v1db1 Error code:49
Besides the user / password, what other problem could happen?
Thank you very much in advance.
Regards
LDAP Error code 49 means AD_INVALID CREDENTIALS (source).
Are you sure that the AD credentials of the account you are using to bind with your Domain Controller are correct? If yes, then I would try using some alternative bind authentication types supported by AirWatch. In my experience Basic and GSS-Negotiate work the best.
If this still does not work, then install an LDAP client on your console server (like for example LDP.exe) and make sure you can bind with your account.
Hope this helps!
Related
I have successfully installed SnowSQL Client version 1.2.5 and while trying to get log into my snowflake account, using account id, username and password, I am somehow unable to connect and get following error:
snowsql unable to log in
This appears to be networking issue. Have you tried to set that debug logging as directed?
To assist in situations like this, Snowflake has a tool which could help you determine if your client host is able to access all required network endpoints for your Snowflake account, it's called SnowCD, the documents are here and the installation is fairly straightforward:
https://docs.snowflake.com/en/user-guide/snowcd.html
I'd recommend trying SnowCD as your first step, the next step would be to review any required proxy settings your organization might have. I'd also double-check your "account name" argument, the URL looks OK to me but there is a nice writeup on the account name construction at this link:
https://docs.snowflake.com/en/user-guide/connecting.html#your-snowflake-account-name
I hope this helps...Rich
THANKS Rich for doing some R&D and sharing proposals. I got successfully logged into snowsql by providing my account id till ".aws". Hope it will help others struggling so far, like myself:
https://docs.snowflake.com/en/user-guide/getting-started-tutorial-log-in.html
demo log in
I've got an instance of sonarqube 5.5 running.
I wanted to use the sonar-ldap-plugin 1.5.1 in order to delegate the authentication and authorization to the Active Directory service of my company.
The configuration for the LDAP plugin is the following (modulo some obfuscation):
sonar.authenticator.createUsers=false
sonar.security.savePassword=false
sonar.security.realm=LDAP
ldap.url=ldap://host.my.domain
ldap.user.baseDn=OU=Users,OU=Organic Units,DC=my,DC=domain
ldap.user.request=(&(objectClass=user) (sAMAccountName={login}))
ldap.authentication=DIGEST-MD5
ldap.bindDn=CN=harmlessServiceAccount,OU=users,OU=Organic Units,DC=my,DC=domain
ldap.bindPassword=<the user password in clear text>
sonar.log.level=DEBUG
And the sonarqube server reports the following error:
2016.07.13 10:19:38 INFO web[o.s.p.l.LdapContextFactory] Test LDAP connection: FAIL
2016.07.13 10:19:38 ERROR web[o.a.c.c.C.[.[.[/]] Exception sending context initialized event to listener instance of class org.sonar.server.platform.PlatformServletContextListener
java.lang.IllegalStateException: Unable to open LDAP connection
...
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1^#]
...
I did the exact same query with ldapsearch and did not meet any problem. So I think the Active Directory service is correct and accepts this user and the DIGEST-MD5 SASL mechanism.
I also used the same user through sonarqube with the SIMPLE (unsecure) mechanism and it was working "properly" as well.
I also tried to put the md5 hash of the password instead of the password.
And I tried a lot of other things I'm not proud of...
I read many similar issues online (stack overflow, other sources) and couldn't find a solution yet.
Do you see anything wrong in my configuration?
Am I doomed to use the SIMPLE mechanism and let everyone's password move around in clear text?
I cannot use CRAM-MD5 neither GSSAPI as they are not supported by my company's active directory service.
The error code 49, has a subcode in it that tells you what the failure cause was. You reported:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1^#]
The data 52e part is the key.
Check out the list I maintain here, and you will see that 52e means bad password for your bind user. 525 would be bad DN for your user, so you have the correct LDAP DN, but the wrong password.
I just encountered this and fixed it on sonarqube 6.x. and ldap plugin 2.2
The 52e will be a bit misleading I found as it can be invalid password, but that is also possible if the login is incorrect. http://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
I had the following in my config
ldap.bindDn=domain\query_account
This has worked for other things but not SonarQube. Your line sonar.log.level=DEBUG actually helped me, I turned it on and it showed me the problem, I needed to escape the \ character. So this worked for me.
ldap.bindDn=domain\\query_account
this might not be your problem, but it definitely was mine. Hope it helps.
We have a Plone 4.3 site on debian 7 that we'd like to authenticate against an existing AD controller. Using the excellent plone.app.ldap product we have this working, but the 'manager' username/password are being sent over the wire in plain text.
No doubt this is because we are using the protocol: 'LDAP' and not 'LDAP over SSL', our problem is how to implement 'LDAP over SSL' on the AD server in a way that works with Plone. Has anyone had any experience configuring the AD machine to accept these types of requests?
From what I understand it needs to be a new service on a new port, similar to https (i.e. not TLS), but I don't know enough about AD to know what to ask the AD admin mob.
EDIT: following the comment from #Martijn Pieters I add that if we set the 'manager dn usage' to not always then we get this error in the event log:
OPERATIONS_ERROR: {'info': '000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1', 'desc': 'Operations error'}
Thanks for any ideas.
-i
You could set up the LDAP connection to use a certificate instead of a password.
Ross Patterson outlines the procedure, but the mailinglist post he links to is gone. The same thread is however still available on GMane.
I need to read the Active Directory, search users and create user functionality.
I am able to use DirectoryEntry in C# and Domain is only physical server.
In my production environment, I have two physical domain servers with same domain name. When I try to search the AD user or create, I am getting the following exception.
Exception : "0000202B: RefErr: DSID-031007EF, data 0, 1 access points" [extended Error 8235]
Note that I have Domain Admin privileges on the domain but I'm still having the same issue.
0000202B: could mean wrong DN/searchbase like incorrect DC value etc.
Your problem looks like a DNS problem. I know writting that, I've got statisticaly 80% chance being right. Check the domain name resolution from your client. Check your DNS and verify that your two domain controlers are well registered.
The error you are getting is referall related:
ERROR_DS_REFERRAL
8235 (0x202B)
A referral was returned from the server.
You can find the error codes linked at this MSDN Article.
I need to read the Active Directory, search users and create user functionality.
I am able to use DirectoryEntry in C# and Domain is only physical server.
In my production environment, I have two physical domain servers with same domain name. When I try to search the AD user or create, I am getting the following exception.
Exception : "0000202B: RefErr: DSID-031007EF, data 0, 1 access points" [extended Error 8235]
Note that I have Domain Admin privileges on the domain but I'm still having the same issue.
0000202B: could mean wrong DN/searchbase like incorrect DC value etc.
Your problem looks like a DNS problem. I know writting that, I've got statisticaly 80% chance being right. Check the domain name resolution from your client. Check your DNS and verify that your two domain controlers are well registered.
The error you are getting is referall related:
ERROR_DS_REFERRAL
8235 (0x202B)
A referral was returned from the server.
You can find the error codes linked at this MSDN Article.