I'm getting this error when I'm trying to authenticate a user against forest domain.
[Request processing failed; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 ]] with root cause javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 ]
My environment
I have two domains (domain1 and domain2) and they are in separate forests (domain1 forest and domain2 forest). I have established two way trust between these two forests. When I login to domain1 server using domain2 user account in Windows, it successfully let me in (because both domains trust each other).
When I use spring security LdapTemplate it just throwing above quoted exception. Following are the LdapContextSource values.
LdapContextSource.urls ==> ldap://domain1_IP:Port
LdapContextSource.base => domain1 root DN
LdapContextSource.userDn ==> domain2\user1
LdapContextSource.password ==> password (plaintext)
LdapContextSource.authenticationStrategy=Simple
If I replace URL with domain2 IP authentication will return true with no exceptions.
When I use Windows ldp.exe I'm able to authenticate using Bind with credentials options. If you use Simple bind ldp.exe fails to authenticate.
Following are the ldp.exe logs when binding after connecting to domain1,
res = ldap_simple_bind_s(ld, 'user1', ); // v.3 Error <49>: ldap_simple_bind_s() failed: Invalid Credentials Server error: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 Error 0x80090308 The token supplied to the function is invalid
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0) res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3 {NtAuthIdentity: User='user1'; Pwd=; domain = 'domain2'} Authenticated as: 'domain2\user1'.
It looks like multi forest domain authentication requires non-plaintext password? I tried MD5, SHA authentications by hashing password and changing authentication strategy accordingly but nothing seems to be working.
Based on my experiments with ldp.exe I was sure that it does not support plain text password when you trying to authenticate an external user to a forest domain. Further investigation reveals that a better approach is using GSS-API authentication (Kerberos v5) but I wasn't sure how to configure Kerberos with two forest domain information. The example I found here https://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html was only using one domain. This Java JNDI API User cannot authenticate to ADs with multi-forests setup thread help me configure multiple domains in Kerberos configuration file which solves my issue.