AD Error fetching roles and users. AD/Hybrid does it just fine

Hi everyone,

I have an AD and an AD/Hybrid user source set up. I am able to verify both user sources, and when verifying the AD one I get my account’s role information returned. When I click “manage users” on the hybrid source, I get all the users after a few seconds. However, whenever I click “manage users” on the AD source, no users or roles are returned. In the logs, I repeatedly get an error fetching the roles and users for the AD profile. The account used for LDAP gateway authentication’s username is “Srvc_IgnitionHUN”. According to this thread, a period in the username was affecting the login. Could the underscore be causing the issue?

Below is the error from the logs:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtx.(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at java.naming/javax.naming.InitialContext.init(Unknown Source)
at java.naming/javax.naming.ldap.InitialLdapContext.(Unknown Source)
at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:276)
at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:339)
at com.inductiveautomation.ignition.gateway.authentication.impl.ActiveDirectoryUserSource.getRoles(ActiveDirectoryUserSource.java:276)
at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.doGetRoles(UserSourceWrapper.java:424)
at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper$RoleCacheImpl.doUpdate(UserSourceWrapper.java:305)
at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper$RoleCacheImpl.doUpdate(UserSourceWrapper.java:300)
at com.inductiveautomation.ignition.gateway.authentication.AbstractCache$UpdateTask.run(AbstractCache.java:118)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

Any help would be appreciated. Thanks.

When I look up this error code (49 / 52e) the information I find is:

Returns when username is valid but password/credential is invalid.

source: https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

Thanks for the source. I was not given the password, so I will reach out to the customer to have them verify.

If the password is incorrect, shouldn’t I not be able to verify the user source?

When you verify a user on a user source you’re using the username/password you type into the verification page.

The action you’re seeing fail is using the credentials configured on the profile as “Gateway Username” and “Password”.

1 Like

Got it. Thanks for the explanation.