AD Internal Hybrid LDAP Error 49

Hi everyone,

I’m running into an issue in Ignition 8 with AD authentication, where the users list is not appearing. However, I’ve been told this does work in Ignition 7.9 with the same configuration.

LDAP error code 49 seems to refer to a logon failure even with correct credentials. Is there a way to figure out what is causing this, or is it probably purely an AD issue?

Error trace here:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52e, v3839]

at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at java.naming/javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at java.naming/javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at java.naming/javax.naming.InitialContext.init(Unknown Source)

at java.naming/javax.naming.ldap.InitialLdapContext.(Unknown Source)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:207)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:270)

at com.inductiveautomation.ignition.gateway.authentication.impl.ADInternalHybridUserSource.getUsers(ADInternalHybridUserSource.java:166)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.updateCache(UserSourceWrapper.java:120)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceManagerImpl$UpdateCacheTask.run(UserSourceManagerImpl.java:393)

at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.base/java.util.concurrent.FutureTask.run(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

I can confirm AD is working in Ignition 8. We don’t use a hybrid user source though.
I quickly configured a AD/Internal Hybrid user source without any issues. I created a test role and assigned it to myself.

While i’m convinced it will work, for some reason this particular AD connection still does not work, even though the same configuration worked in 7.9.10.

Still no way to authenticate it. I’m not sure if the name is disliked or what.

Check/compare your advanced settings (under show advanced properties) against the 7.9 gateway.

Looks like hex code 52e Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

Hi @roger_larson -

Did you ever get this resolved?

I recently ran into a similar issue. I noticed that in the advanced properties (shown by toggling the show advanced properties checkbox at the bottom of the configuration), Automatic Suffix was checked which means that any username I use to login will always automatically be appended with the domain in the configuration. I was trying to login with the full email such as foo@example.com but the system was appending the domain after that (foo@example.com@example.com) which failed of course. So I tried logging in with just the name portion of the email foo and it worked.

Still doesn’t explain the difference between 7.9 and 8.0 though. I’m not what is causing the difference in behavior there from the information provided…

2 Likes

Interesting! As far as I know, our username prefix/suffix is blank and automatic suffix is off. We pretty much can’t even see users.

And no, it was never resolved, we sort of gave up on AD for now, at least until it is known why this configuration does not work in Ignition 8. I can’t tell if it is the AD server, some wrong information in the user source config page (I don’t have the information to verify whether it is or is not correct, but it did work at some point), or something really did change from Ignition 7 to 8 that killed our connection.

We may wait until tech support for this is available, unless there are a few ideas as to what could cause this.

But, for context, this is what we’re currently getting after switching to 8:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52e, v3839]

at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at java.naming/javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at java.naming/javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at java.naming/javax.naming.InitialContext.init(Unknown Source)

at java.naming/javax.naming.ldap.InitialLdapContext.(Unknown Source)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:207)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:270)

at com.inductiveautomation.ignition.gateway.authentication.impl.ADInternalHybridUserSource.getUsers(ADInternalHybridUserSource.java:166)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.updateCache(UserSourceWrapper.java:120)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceManagerImpl$UpdateCacheTask.run(UserSourceManagerImpl.java:393)

at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.base/java.util.concurrent.FutureTask.run(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.base/java.lang.Thread.run(Unknown Source)

Hello,

Did you manage to resolve the issue?

I am using Ignition (V8.1.1). I have an AD user source and user verification is successful.
However, when I created an Identity provider that utilizes the same AD user source I get the same LDAP error as you (code 49 data 775)

any thoughts?

Regards,

That code is slightly different than what was mentioned above. According to this: https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

looks like your user is locked out on the AD side. you’ll have to wait until the account is unlocked or ask your AD admin to manually unlock the user and try again…