InitialLdapContext returned LDAP: error code 49

Issue

I ran into an issue when trying to connect to ldap server in my spring boot application. I verified the URL, user name, and password are all valid using ADExplorer. I also step trace the same information to make sure information is correct right before the call.

Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.SECURITY_AUTHENTICATION, "simple");
if(ldapUsername != null) {
    env.put(Context.SECURITY_PRINCIPAL, ldapUsername);
}
if(ldapPassword != null) {
    env.put(Context.SECURITY_CREDENTIALS, ldapPassword);
}
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapAdServer);
env.put("java.naming.ldap.attributes.binary", "objectSID");

ctx = new InitialLdapContext(env, null);<==== exception thrown
return ctx;

ldap:
    host:
      ldapadserver: ldap://ldapserver.com
    search:
      ldapsearchbase: OU=AD Master OU,OU=###,DC=###,DC=###
    user:
      ldapusername: ####
      ldappassword: ENC(#####)

Exception while loading user configuration file : javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839]
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3261)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)

Just an update: I followed the advise and use the full DN string as ldapUserName and everything works.

Solution

The data 52e in the error message refers to the Windows System Error code, which is:

ERROR_LOGON_FAILURE

1326 (0x52E)

The user name or password is incorrect.

So it's definitely complaining about your credentials.

What format is the username in? You mention in the comment to the other answer, cn=ldapuser, but that won't work for AD. The format should be one of:

• Just the username (either sAMAccountName or userPrincipalName) e.g. ldapuser
• The domain\username, e.g. DOMAIN\ldapuser
• The distinguished name, e.g. CN=ldapuser,OU=Users,DC=example,DC=com

Answered By - Gabriel Luci