Summary
Users that belong to external LDAP directories such as Crowd, Active Directory cannot log in to Jira.
The Browser says: Authentication failed.
Environment
Diagnosis
The following error message is present in atlassian-jira.log:
2021-09-20 14:27:57,353-0400 http-nio-8080-exec-23 ERROR anonymous 867x269792x1 1nb81f1 10.10.50.50,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'Active Directory server (10000)' is not functional during authentication of 'sample-user'. Skipped.
2021-09-20 14:27:57,400-0400 http-nio-8080-exec-23 ERROR anonymous 867x269792x1 1nb81f1 10.10.50.50,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'sample-user'.
com.atlassian.crowd.exception.runtime.OperationFailedException
Caused by: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 775, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 775, v1db1]
Cause
The 775 data error means the LDAP account used to set up the Jira’s LDAP directory is locked in the LDAP Server.
There could be other data codes besides 775. Please check the error code (in the example above, it’s 775) and match it with the description in the following table:
|
525 |
user not found |
|
52e |
invalid credentials |
|
530 |
not permitted to logon at this time |
|
531 |
not permitted to logon at this workstation |
|
532 |
password expired (remember to check the user set in osuser.xml also) |
|
533 |
account disabled |
|
701 |
account expired |
|
773 |
user must reset password |
|
775 |
user account locked |
In the example above, the error code is 775 (user account locked).
Solution
Since the issue is often originated from Active Directory, consult with the AD administrator to unlock the account.
Once the account has been unlocked, restart Jira and try to log in again.
Last modified on Sep 22, 2021
Related content
- No related content found
Содержание
- Error code 49 data 775
- Asked by:
- Question
- Error code 49 data 775
- Answered by:
- Question
- Answers
- All replies
- Error code 49 data 775
- Microsoft Active Directory LDAP Result Codes sub-codes for Bind Response:#
Error code 49 data 775
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
Question
We are developing a LDAP authentication against Active Directory, we met the follow errors, although the username and password are correct.
LDAP: error code 49 — 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
The user detail is: CN=Peter, Lia ,OU=DEV,OU=HK_U,OU=cita,OU=US,DC=achtest,DC=local
As you may saw, the last name of this user has a backslash, plus a space in CN, we guess it may be the problem, since other users don’t have this problem if the last name of users don’t have a backslash and a space.
However we don’t know how we can add a new user to duplicate this issue, since it’s not way to add a new user with space in the end of name, the Active Directory will auto trim the space when system save the new user to database.
My questions are:
1. Do you have this kind of experience? Any idea to resolve?
2. How we can add a new user with a space in the end of last name? and then we can replicate this issue again?
Источник
Error code 49 data 775
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
On Active Directory an LDAP bind to a locked out account always returns (regardless if the pwd is correct or not):
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 (account locked out)
This is the expected behavior.
On AD LDS (on Win2008R2) an LDAP bind to a locked out account returns different codes depending if the pwd is valid or not:
If the password is correct AD LDS returns:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 (account locked out)
If the pwd is NOT correct AD LDS returns:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 (unknown username or bad password)
This is obviously a security issue as one can continue to try to find out the correct password while the account is locked out.
Does anyone know if this behavior can be configured or if this is a bug or by design (hard to believe)
Answers
The AD LDS test in my lab has the same results as yours.
If the password is correct:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 (account locked out)
If the pwd is incoreectr returns:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 (unknown username or bad password)
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thank you for your question.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here .
TechNet Community Support
please refer to following article and let me which authentication methods you are used in the AD LDS.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Hi Jason, thank you for the response. We perform simple bind with DN using LDAPS (port 636). The local server policies do apply and the accounts get locked out as expected, but as I said the return codes are different if correct or incorrect pwd is provided which is different behavior when using simple bind against Active Directory.
We need simple bind at the moment because of legacy applications. Later we would like to use proxy objects maped to Active Directory accounts. I have not yet tested this behavior when using proxy objects. Will do that as soon as I get time.
Should this be by design we would need to implement some custom authentication module that checks the ldap attribute manually (ms-DS-UserAccountAutoLocked) and then always return the same response to the user in that case. But I would expect that AD LDS would handle this the same way Active Directory handles it.
thanks for your reply.
Kerberos authentication depends on KDC service, but LD LDS does’t have KDC service. So there are some differents between AD LDS and AD. Anyway, i will do more tests on my lab and wait for your test results .
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
But for the tests against AD we did a simple bind as well, so I do not think that the KDC (kerberos) plays a role in this scenario.
Anyway, the problem with the behavior is not really that it is not the same as in AD. The problem is that you get a different return code back depending if the pwd provided is correct or not. This defeats the whole purpose of the lockout feature.
Were you able to reproduce this behavior in your lab ?
AD LDS doesn’t support much attributes that control account lockout. the UserAccountControl which is used to control items such as Account Lockout, Account Disabled, Password Never Expires, User Cannot Change Password etc, but AD LDS doesn’t support this attribute.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
yes I am aware of that.
But was I was just talking about the LDAP return codes when binding to an account that is currently locked out.
As explained, it returns different codes depending if the password is correct or not which makes the lockout feature useless. The whole point of the lockout feature is that you can only try a limited number of passwords and once the limit is reached the account locks out.
But in case of AD LDS after the account locks out, if you know that the return codes tell you if the password is correct or not, you can keep guessing passwords and perform a brute force attack. So the concept of the account lockout feature is completely useless with AD LDS.
This is in contrast to other LDAP systems I looked at (e.g. openLDAP with password policy overlay) which always returns the same error code for locked out accounts, regardless if the pwd entered is corerct or not.
At this point it looks like this is by design in AD LDS as I could not find an any help on how this can be configured/changed. What is your view? Does this behavior make sense to you?
I have made a test on my lab. when I use LDP.exe to bind to an AD, the reponse code always is «invalid credentials» whatever i type incorrect password or correct password.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
Error : ldap_bind_s() failed: Invalid Credentials. Server error: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 775, v1db1 Error 0x8009030C The logon attempt failed
So tell me which tools you used to bind to AD and AD LDS.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
I have performed the same test with ldp.exe using simple bind.
I have entered the pwd wrong a couple of times until the account was locked out.
It always returned the same error 52e (before lockout and after it was locked out):
res = ldap_simple_bind_s(ld, ‘cn=mytest,ou=users,o=xxx’, ); // v.3
Error : ldap_simple_bind_s() failed: Invalid Credentials
Server error: 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Error 0x8009030C The logon attempt failed
Then I entered the correct password:
res = ldap_simple_bind_s(ld, ‘cn=mytest,ou=users,o=xxx’, ); // v.3
Error : ldap_simple_bind_s() failed: Invalid Credentials
Server error: 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1
Error 0x8009030C The logon attempt failed
As you can see I then get error 775.
This was my point. After the account is locked out, you can still determine if the pwd that was entered is correct or not, which defeats the purpose of the lockout feature.
If I see it correctly, in your test you did not use simple bind. Can you perform the same test with simple bind?
I have made a simple bind as you did.
1. i enter bad password before this user lockout. the erroe is 52e
res = ldap_simple_bind_s(ld, ‘joan’, ); // v.3
Error : ldap_simple_bind_s() failed: Invalid Credentials
Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Error 0x80090308 The token supplied to the function is invalid
2. After user account locked out, the results are same regardless the incorrect or correct password was enterd.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
Error : ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 775, v1db1
Error 0x8009030C The logon attempt failed
————
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
Error : ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 775, v1db1
Error 0x8009030C The logon attempt failed
Regarding currennt situation, i think we could not determine if the password we enterd is correct or not. This results just determines if the user account was locked out or not.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Источник
Error code 49 data 775
When you see an entry similar to:
The hex values will resolve to a Microsoft Response Code that may provide more information.
Microsoft Active Directory LDAP Result Codes sub-codes for Bind Response:#
| Code | hex | DEC | Short Description | More Information | Comments |
|---|---|---|---|---|---|
| 49 | 525 | 1317 | LDAP_NO_SUCH_OBJECT | Entry does not exist. | |
| 49 | 52e | 1326 | ERROR_LOGON_FAILURE | Returns when username is valid but password/credential is invalid. | Will prevent most other errors from being displayed as noted. |
| 49 | 52f | 1327 | ERROR_ACCOUNT_RESTRICTION | Account Restrictions are preventing this user from signing in. | For example: blank passwords aren’t allowed, sign-in times are limited, or a policy restriction has been enforced. |
| 49 | 530 | 1328 | ERROR_INVALID_LOGON_HOURS | Time Restriction:Entry logon time restriction violation | |
| 49 | 531 | 1329 | ERROR_INVALID_WORKSTATION | Device Restriction:Entry not allowed to log on to this computer. | |
| 49 | 532 | 1330 | ERROR_PASSWORD_EXPIRED | Password Expiration: Entry password has expired LDAP User-Account-Control Attribute — ERROR_PASSWORD_EXPIRED | NOTE: Returns only when presented with valid username and password/credential. |
| 49 | 533 | 1331 | ERROR_ACCOUNT_DISABLED | Administratively Disabled: LDAP User-Account-Control Attribute — ACCOUNTDISABLE | NOTE: Returns only when presented with valid username and password/credential. |
| 49 | 568 | 1384 | ERROR_TOO_MANY_CONTEXT_IDS | During a logon attempt, the user’s security context accumulated too many security Identifiers. (ie Group-AD) | |
| 49 | 701 | 1793 | ERROR_ACCOUNT_EXPIRED | LDAP Password Expiration: User-Account-Control Attribute — ACCOUNTEXPIRED | NOTE: Returns only when presented with valid username and password/credential. |
| 49 | 773 | 1907 | ERROR_PASSWORD_MUST_CHANGE | Password Expiration: Entry’s password must be changed before logging on LDAP pwdLastSet: value of 0 indicates admin-required password change — MUST_CHANGE_PASSWD | NOTE: Returns only when presented with valid username and password/credential. |
| 49 | 775 | 1909 | ERROR_ACCOUNT_LOCKED_OUT | Intruder Detection:Entry is currently locked out and may not be logged on to LDAP User-Account-Control Attribute — LOCKOUT | NOTE: Returns even if invalid password is presented |
| 49 | 80090346 | .. | ERROR_ACCOUNT_LOCKED_OUT | AcceptSecurityContext error | SEC_E_BAD_BINDINGS — Client’s supplied Security Support Provider Interface (SSPI) Channel Bindings were incorrect. |
Common Active Directory Bind Errors will often be shown within the Windows Event Log as Event 4625
Источник
- Remove From My Forums
-
Question
-
On Active Directory an LDAP bind to a locked out account always returns (regardless if the pwd is correct or not):
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 (account locked out)
This is the expected behavior.
On AD LDS (on Win2008R2) an LDAP bind to a locked out account returns different codes depending if the pwd is valid or not:
If the password is correct AD LDS returns:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 (account locked out)If the pwd is NOT correct AD LDS returns:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 (unknown username or bad password)
This is obviously a security issue as one can continue to try to find out the correct password while the account is locked out.Does anyone know if this behavior can be configured or if this is a bug or by design (hard to believe)
Answers
-
Hi,
The AD LDS test in my lab has the same results as yours.
If the password is correct:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 (account locked out)If the pwd is incoreectr returns:
-2146893044 => 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 (unknown username or bad password)
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Marked as answer by
Thursday, March 29, 2012 9:58 PM
-
Marked as answer by
Question
SystemOut.log shows error:
SECJ0369E:Authentication failed when using LTPA. The exception is javax.naming.AuthenticationException: [LDAP: error code 49 — 80090308:LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece
Cause
TWS DB2 account (ie. TWSADMIN) was locked out in Microsoft Active Directory (ie. MS AD).
LDAP: error code 49 means LDAP_INVALID_CREDENTIALS
(see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.IBMDS.doc_6.2%2Fadmin_gd32.htm&path=8_12_0_4_6_0)
Tivoli Directory Server, Version 6.2
Appendix A. Error codes
The possible values for an LDAP error code are shown in the following tables:
Table 23. General return codes
The Windows Event Viewer also logged the following event
Date: 30/08/2011 Time: 17:59:47
Source: IBMWAS61Service -TW
Catagory: None
Type: Error
Event_ID: 109
…
Description:
Could not determine the process id of the java process. Changine the
IBMWAS61Service — TWS_user service status to the «stopped» state.
To prevent this error, try recreating this service with the -logRoot
parameter. The value of the logRoot parameter should be the directory in
which the server’s .pid file is created.
Answer
Re-active the locked out TWS userid in MS AD, then restart TWS.
[{«Product»:{«code»:»SSGSPN»,»label»:»IBM Workload Scheduler»},»Business Unit»:{«code»:»BU053″,»label»:»Cloud & Data Platform»},»Component»:»WebSphere Application Server»,»Platform»:[{«code»:»PF033″,»label»:»Windows»}],»Version»:»8.5;8.5.1;8.6″,»Edition»:»»,»Line of Business»:{«code»:»LOB45″,»label»:»Automation»}}]
