Tech Tip: ADA, NFA or UCM SsoConfig > Test LDAP fails with LDAP: error code 49 - 80090308

Document created by Rito_Garcia Employee on Sep 3, 2015Last modified by Rito_Garcia Employee on Sep 3, 2015
Version 2Show Document
  • View in full screen mode

Summary:


SsoConfig > Test LDAP displays the following error:


Enter username > ldapuser

Enter password >
We will now attemp to bind to the supplied LDAP server using the LdapConnectionUser and LdapConnectionPassword supplied in the SSO Config utility.
ldapSearchDomain = LDAP://myldapservername.corp.com/
DirContext.SECURITY_AUTHENTICATION = simple
Could not read the provided ldapEncryption mechanism. Defaulting to SIMPLE authentication
DirContext.SECURITY_PRINCIPAL = ldapuser
DirContext.SECURITY_CREDENTIALS set
Could not obtain a DirectoryContext.
javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
Logon failure: unknown user name or bad password.
Bind to the directory failed.


Solution:

 

The Test LDAP error code 49 - 80090308 may occur in an LDAP configuration when the Connection User is set to 'dynamic' represented by {0}, in conjunction with Encryption set to False or left blank. In such configurations, the Encryption setting must be set with the encryption type or the Connection User setting needs to be set with a static LDAP user name.

 

Solution 1: Set Encryption option to DIGEST-MD5, GSSAPI or SSHA if supported by the LDAP server.

 

Example on setting the Encryption with NFA:

 

1. Launch the %NFAHOMEPATH%\Portal\SSO\bin\SsoConfig

 

SSO Configuration:
1. CA Performance Center
2. CA Network Flow Analysis
Choose an option >2

 

SSO Configuration/CA Network Flow Analysis:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option >1

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication:
Connection User: {0}
Connection Password: ***
Search Domain: LDAP://myldapservername.corp.com/DC=CORP,DC=com
Search String: (sAMAccountName={0})
Search Scope: Subtree
User Bind: Disabled
Encryption: False
Account User: {sAMAccountName}
Account User Default Clone: user
Group:
Krb5ConfigFile:

 

1. Remote Value
2. Local Override
Choose an option >2

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User:
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 7
Enter U to update this value

 

Enter new value > DIGEST-MD5

 

The following displays with the DIGEST-MD5 configured

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User:
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption: DIGEST-MD5
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:

 

Run Test LDAP and confirm that authentication is successful

 

Solution 2: Set the Connection User with a static LDAP user name and Connection Password if the available Encryption types are not supported or the Encryption type is unknown. In this configuration the User Bind setting should also be enabled.

 

NFA example on configuring a static Connection User, Connection Password and User Bind

1. Launch the %NFAHOMEPATH%\Portal\SSO\bin\SsoConfig

 

SSO Configuration:
1. CA Performance Center
2. CA Network Flow Analysis
Choose an option >2

 

SSO Configuration/CA Network Flow Analysis:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option >1

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication:
Connection User: {0}
Connection Password: ***
Search Domain: LDAP://myldapservername.corp.com/DC=CORP,DC=com
Search String: (sAMAccountName={0})
Search Scope: Subtree
User Bind: Disabled
Encryption: False
Account User: {sAMAccountName}
Account User Default Clone: user
Group:
Krb5ConfigFile:

 

1. Remote Value
2. Local Override
Choose an option >2

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User:
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 1
Enter U to update this value

 

Enter new value > CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com


After configuring the Connection User, choose option 2 to set the Connection Password.

 

Example:

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User: CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 2
Enter U to update this value

 

Enter new value >(note you will not see the letters being typed in)

 

After configuring the Connection Password, choose option 6 to enable the User Bind

 

Example:

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User: CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
2. Connection Password: *******
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 6
Enter U to update this value

 

Valid values:
0.  Disabled
1.  Enabled
Choose an option > 1

 

The following displays:

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User: CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
2. Connection Password: *******
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind: Enabled
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:

 

Run Test LDAP and confirm that authentication is successful.


This has also been posted in the Knowledge Base on Support.ca.com TEC1142597

Attachments

    Outcomes