0 Replies Latest reply on Jan 3, 2013 4:13 PM by binaryblogger

    LdapExtLoginModule Bad Password causing AD accounts to lock out

    binaryblogger
    binaryblogger Jan 3, 2013 4:13 PM

      I have 4 JBOSS servers all showing the same behavior. For an unknows reason, and from the user perspective it's random, the JBOSS app server will try to auth the user to AD, fail three times in about a second and lock the user's account. But once we unlock and never touch JBOSS it may be a few hours or days before it happens to the same user again. I see the lockouts happening on both the primary and seconday AD domains controllers. No matter what we try it still happens and we can't figure out why since there is no pattern or clear reason/trigger to this happening. But it happens regularly just not to the same users.

       

      Here's the error in the log.

       

      2013-01-03 06:32:13,869 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=username111

      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

       

      The I see the lockout reason

       

      2013-01-03 06:32:14,955 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=username111

      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1

       

       

      Here's my login-config.xml for the AD connection.

       

      <application-policy name="AppName">

                 <authentication>

                   <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                     <module-option name="unauthenticatedIdentity">anonymous</module-option>

                     <module-option name="java.naming.provider.url">ldap://AD-Corp-Primary.domain.com:389 ldap://AD-Corp-Secondary.domain.com:389/</module-option>

                     <module-option name="java.naming.security.authentication">simple</module-option>

                     <module-option name="bindDN">AppUserLDAP</module-option>

                     <module-option name="bindCredential">hlnYulDMZaK77Cxq4VvHY</module-option>

                     <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=LdapPassword</module-option>

                     <module-option name="baseCtxDN">dc=corporate,dc=domain,dc=com</module-option>

                     <module-option name="baseFilter">(sAMAccountName={0})</module-option>

                     <module-option name="rolesCtxDN">ou=Resources,ou=Users and Groups,dc=corporate,dc=domain,dc=com</module-option>

                     <module-option name="roleFilter">(member={1})</module-option>

                     <module-option name="roleAttributeID">memberOf</module-option>

                     <module-option name="roleAttributeIsDN">true</module-option>

                     <module-option name="roleRecursion">1</module-option>

                     <module-option name="searchScope">SUBTREE_SCOPE</module-option>

                     <module-option name="searchTimeLimit">30000</module-option>

                     <module-option name="defaultRole">HttpInvoker</module-option>

                     <module-option name="allowEmptyPasswords">false</module-option>

                   </login-module>

          </authentication>

          </application-policy>