AD Error fetching roles and users. AD/Hybrid does it just fine

Ignition
1

Hi everyone,

I have an AD and an AD/Hybrid user source set up. I am able to verify both user sources, and when verifying the AD one I get my account’s role information returned. When I click “manage users” on the hybrid source, I get all the users after a few seconds. However, whenever I click “manage users” on the AD source, no users or roles are returned. In the logs, I repeatedly get an error fetching the roles and users for the AD profile. The account used for LDAP gateway authentication’s username is “Srvc_IgnitionHUN”. According to this thread, a period in the username was affecting the login. Could the underscore be causing the issue?

Below is the error from the logs:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtx.(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at java.naming/javax.naming.InitialContext.init(Unknown Source)
at java.naming/javax.naming.ldap.InitialLdapContext.(Unknown Source)
at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:276)
at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:339)
at com.inductiveautomation.ignition.gateway.authentication.impl.ActiveDirectoryUserSource.getRoles(ActiveDirectoryUserSource.java:276)
at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.doGetRoles(UserSourceWrapper.java:424)
at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper$RoleCacheImpl.doUpdate(UserSourceWrapper.java:305)
at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper$RoleCacheImpl.doUpdate(UserSourceWrapper.java:300)
at com.inductiveautomation.ignition.gateway.authentication.AbstractCache$UpdateTask.run(AbstractCache.java:118)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

Any help would be appreciated. Thanks.

2

When I look up this error code (49 / 52e) the information I find is:

Returns when username is valid but password/credential is invalid.

source: https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

3

Thanks for the source. I was not given the password, so I will reach out to the customer to have them verify.

If the password is incorrect, shouldn’t I not be able to verify the user source?

4

When you verify a user on a user source you’re using the username/password you type into the verification page.

The action you’re seeing fail is using the credentials configured on the profile as “Gateway Username” and “Password”.

1 Like
5

Got it. Thanks for the explanation.

6

I'm getting the same error code (49). The link from the AD and Ignition was lost because the user passwords were reset.

This has happened twice. When I reset the passwords all my users come back.
The user does not know how to do this.
I'm not resetting the AD user passwords.
I confirmed with IT that it's not them.
So what can be possibly doing this?

7

What's the subcode / full error?

8

See picture attached.

Test
Test1512×2016 398 KB

UPDATE
I reset the AD Password and all accounts came back.
Also all accounts password were reset as well.

9

Sorry, gonna need you to actually copy and paste the whole thing.

10

Here you go.

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 532, v3839]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.(Unknown Source)
**at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:207)**
at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:270)
at com.inductiveautomation.ignition.gateway.authentication.impl.ADInternalHybridUserSource.getUsers(ADInternalHybridUserSource.java:166)
at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.updateCache(UserSourceWrapper.java:120)
at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.getUsers(UserSourceWrapper.java:95)
... snipped by moderator ...
11

49 / 532 means the passwords are expiring. Talk to whoever manages your AD instance.