Error binding as windows account
I have AD and ADAM on the same Windows 2003 Server m/c with application specific information stored in ADAM.
Iam trying to connect to ADAM instance as a windows principal through JNDI and it keeps failing.
But, through LDP Iam able to bind with the same windows user successfully and browse through the entire tree successfully.
The error is as below
C:\samples>java checkcon
checkcon example failed.
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID
-0C090311, comment: AcceptSecurityContext error, data 2030, vece ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:1
36)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66
)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:133)
at checkcon.main(checkcon.java:44)
My code
import java.util.Hashtable;
import java.util.Enumeration;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
/*
* Retrieve several attributes of a particular entry.
*/
class checkcon {
public static void main(String[] args) {
/*
* Specify the initial context implementation to use.
* For example,
* This could also be set by using the -D option to the java program.
*java -Djava.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory \
*checkcon
*/
String adminName= "APOLLO\\Administrator";
String adminPassword = "Administrator123";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
/* Specify host and port to use for directory service */
env.put(Context.PROVIDER_URL, "ldap://15.66.91.239:50000");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, adminName);
env.put(Context.SECURITY_CREDENTIALS, adminPassword);
try {
/* get a handle to an Initial DirContext */
//DirContext ctx = new InitialDirContext(env);
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
System.out.println("INITIAL Context Created Successfully!!");
Attributes att = ctx.getAttributes("CN=pmProfiles,CN=JIOCprofiles,O=JIOC");
NamingEnumeration searchResults = ctx.search( "O=JIOC","objectClass=group",new SearchControls());
System.out.println("Retrieved attributes successfully!!");
/* Print search results by iterating though
1. All entries in search results
2. All attributes in each entry
3. All values in each attribute
*/
while (searchResults.hasMore()) {
SearchResult nextEntry = (SearchResult)searchResults.next();
System.out.println("\ndn: " + nextEntry.getName());
Attributes attributeSet = nextEntry.getAttributes();
NamingEnumeration allAttrs = attributeSet.getAll();
while (allAttrs.hasMoreElements()) {
Attribute attribute = (Attribute) allAttrs.next();
String attributeId = attribute.getID();
Enumeration values = attribute.getAll();
while (values.hasMoreElements()) {
System.out.println(attributeId + ": " + values.nextElement());
}
}
}
} catch (NamingException e) {
System.err.println("checkcon example failed.");
e.printStackTrace();
}
}
}
You may want to refer to some of the ADAM documentation at www.microsoft.com/adam or the technical reference which may be downloaded from http://www.microsoft.com/downloads/details.aspx?familyid=96c660f7-d932-4f59-852c-2844b343f3e0&displaylang=en
Essentially there are three ways to bind to ADAM (Actually a fourth if you include anonymous binds).
1. Simple LDAP binding, for ADAM security principals (security principals that reside in ADAM)
2. SASL binding, for Windows security principals (Windows security principals that reside on a local computer or in Active Directory)
3. Bind redirection, for ADAM proxy users (security principals that reside in ADAM but that contain a reference to a security principal that resides in Active Directory)
So imagine a scenario with the following:
Active Directory domain - Antipodes.com (dc=antipodes,dc=com)
ADAM partition - Foobar (ou=myApp,o=foobar,c=us)
user objects:
John Smith (cn=John Smith, cn=users,dc=antipodes,dc=com)
Fred Jones (cn=Fred Jones, ou=users,ou=Myapp,o=foobar,c=us)
userProxy for John Smith (cn=Proxy for John Smith, ou=Aliens,ou=Myapp,o=Foobar,c=us)
You can perform a simple bind as Fred Jones.String adminName = "cn=Fred Jones,ou=users,ou=Myapp,o=foobar,c=us";
String adminPassword = "secret";
env.put(Context.PROVIDER_URL, "ldap://15.66.91.239:50000");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, adminName);
env.put(Context.SECURITY_CREDENTIALS, adminPassword);
You can perform a simple bind as John Smith, using bind redirection through the userProxyString adminName = "cn=Proxy for John Smith ,ou=Aliens,ou=Myapp,o=foobar,c=us";
String adminPassword = "anothersecret";
env.put(Context.PROVIDER_URL, "ldap://15.66.91.239:50000");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, adminName);
env.put(Context.SECURITY_CREDENTIALS, adminPassword);
or you can perform a SASL bind with John Smith's Active Directory account.
If you refer to http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300 and simply modify the ldapurl & search base it should work OK.// Connect to my ADAM server, note different TCP port than normal LDAP port 389
String ldapURL = "ldap://15.66.91.239:50000";
env.put(Context.PROVIDER_URL,ldapURL);
....
//Specify the Base for the search
String searchBase = "OU=Myapp,O=Foobar,C=US";
Good luck.
Have you tried expressing your principal name in the form "Administrator@apollo.com"?
> You may want to refer to some of the ADAM
> documentation at www.microsoft.com/adam or the
> technical reference which may be downloaded from
> http://www.microsoft.com/downloads/details.aspx?family
> id=96c660f7-d932-4f59-852c-2844b343f3e0&displaylang=en
>
>
> Essentially there are three ways to bind to ADAM
> (Actually a fourth if you include anonymous binds).
> 1. Simple LDAP binding, for ADAM security principals
> (security principals that reside in ADAM)
> 2. SASL binding, for Windows security principals
> (Windows security principals that reside on a local
> computer or in Active Directory)
> 3. Bind redirection, for ADAM proxy users (security
> principals that reside in ADAM but that contain a
> reference to a security principal that resides in
> Active Directory)
>
> So imagine a scenario with the following:
> Active Directory domain - Antipodes.com
> (dc=antipodes,dc=com)
> ADAM partition - Foobar (ou=myApp,o=foobar,c=us)
> user objects:
> John Smith (cn=John Smith,
> cn=users,dc=antipodes,dc=com)
> Fred Jones (cn=Fred Jones,
> ou=users,ou=Myapp,o=foobar,c=us)
> userProxy for John Smith (cn=Proxy for John Smith,
> ou=Aliens,ou=Myapp,o=Foobar,c=us)
>
> You can perform a simple bind as Fred Jones.> String adminName = "cn=Fred
> Jones,ou=users,ou=Myapp,o=foobar,c=us";
> String adminPassword = "secret";
> env.put(Context.PROVIDER_URL,
> "ldap://15.66.91.239:50000");
> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> env.put(Context.SECURITY_PRINCIPAL, adminName);
> env.put(Context.SECURITY_CREDENTIALS,
> adminPassword);
> You can perform a simple bind as John Smith, using
> bind redirection through the userProxy> String adminName = "cn=Proxy for John Smith
> ,ou=Aliens,ou=Myapp,o=foobar,c=us";
> String adminPassword = "anothersecret";
> env.put(Context.PROVIDER_URL,
> "ldap://15.66.91.239:50000");
> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> env.put(Context.SECURITY_PRINCIPAL, adminName);
> env.put(Context.SECURITY_CREDENTIALS,
> adminPassword);
> or you can perform a SASL bind with John Smith's
> Active Directory account.
> If you refer to
> http://forum.java.sun.com/thread.jspa?threadID=579829&
> tstart=300 and simply modify the ldapurl & search
> base it should work OK.> // Connect to my ADAM server, note different TCP port
> than normal LDAP port 389
> String ldapURL = "ldap://15.66.91.239:50000";
> env.put(Context.PROVIDER_URL,ldapURL);
> ....
> //Specify the Base for the search
> String searchBase = "OU=Myapp,O=Foobar,C=US";
> Good luck.
I use ldp.exe to connect and bind.
I was asked (Admins) to use bind with credentials to bind to ADAM.
It has 3 fields -> username
password
domain
Where do I put the domain, when I am using JNDI to connect to the
ADAM?
Thanks
Subba
When using ADAM on a machine (either Windows Server or Windows XP), that is not joined to an Active Directory domain, and you want to bind as a local machine account, use the machine's name in place of the domain.
For example, if the machine is called Wombat and you want to login with the local administrator account, you will enter the follwing in your application:
User: Administrator
Domain: wombat
Password:xxxxxx
