Tech Tip: ADA, NFA or UCM SsoConfig > Test LDAP fails with LDAP: error code 49 - 8009030C

Document created by Rito_Garcia Employee on Sep 3, 2015Last modified by Rito_Garcia Employee on Sep 3, 2015
Version 2Show Document
  • View in full screen mode

Summary:


SsoConfig > Test LDAP displays the following error:


Enter username > ldapuser
Enter password >
The UserBind option has been selected.
We will now perform the first bind with the LdapConnectionUser and LdapConnectionPassword supplied in the SSO Config utility.
ldapSearchDomain = LDAP://myldapservername.corp.com/
DirContext.SECURITY_AUTHENTICATION = DIGEST-MD5
DirContext.SECURITY_PRINCIPAL = ldapuser
DirContext.SECURITY_CREDENTIALS
set directoryContext initialized
Bind with LdapConnectionUser and LdapConnectionPassword succeded.
We will now try to bind with the searched user.
searchScope = SearchControls.SUBTREE_SCOPE ldapRoot = DC=CORP,DC=com
Begin directoryContext.search
Search String: (sAMAccountName=ldapuser)
End directoryContext.search
Search returned at least one result.
Found the DN for the searched user: CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
Disconnecting from the LDAP server so we can connect with the searched user.
ldapSearchDomain = LDAP://myldapservername.corp.com/
DirContext.SECURITY_AUTHENTICATION = DIGEST-MD5
DirContext.SECURITY_PRINCIPAL = CN=ldapuser,OU=Users,OU=NAM,DC=corp,DC=com
DirContext.SECURITY_CREDENTIALS set
Could not obtain a DirectoryContext.javax.naming.AuthenticationException:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1 ]
Logon failure: unknown user name or bad password.
Bind to the directory failed.


Solution:

 

The Test LDAP error code 49 - 8009030C may occur in an LDAP configuration when the Connection User 'dynamic', represented by {0},  in conjunction with the User Bind.  In such configurations, the User Bind setting must be set to Disabled.

 

1. Example on setting the User Bind to Disabled with NFA:

 

SSO Configuration:
1. CA Performance Center
2. CA Network Flow Analysis
Choose an option >2

 

SSO Configuration/CA Network Flow Analysis:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option >1

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication:
Connection User: {0}
Connection Password: ***
Search Domain: LDAP://myldapservername.corp.com/DC=CORP,DC=com
Search String: (sAMAccountName={0})
Search Scope: Subtree
User Bind: Enabled
Encryption: DIGEST-MD5
Account User: {sAMAccountName}
Account User Default Clone: user
Group:
Krb5ConfigFile:

 

1. Remote Value
2. Local Override
Choose an option >2

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User:
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind:
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:
Select a Property > 6
Enter U to update this value

 

Valid values:
0.  Disabled
1.  Enabled
Choose an option > 0

 

The following displays:

 

SSO Configuration/CA Network Flow Analysis/LDAP Authentication/Local Override:
1. Connection User:
2. Connection Password:
3. Search Domain:
4. Search String:
5. Search Scope:
6. User Bind: Disabled
7. Encryption:
8. Account User:
9. Account User Default Clone:
10. Group:
11. Krb5ConfigFile:

 

Run Test LDAP and confirm that authentication is successful.

 

This has also been posted in the Knowledge Base on Support.ca.com TEC1180295

Attachments

    Outcomes