5 Replies Latest reply on Feb 19, 2013 6:10 PM by wesleydstrickland

    Trouble Authenticating User using LdapExtLoginModule with Active Directory server

    wesleydstrickland

      Trouble Authenticating User using LdapExtLoginModule with Active Directory server

       

      I have tried many different attribute values using the LdapExtLoginModule trying to use LDAP authentication with JBoss AS7.1.1 Final with no success.  The same AD server works perfectly using the same client/server code deployed on Glassfish.

       

      I know that it is at least authenticating using the bindDN and bindCredential but I am still getting the Password failure. (If I change the bindCredential I get a different Authentication error, so I am presuming the bindDN username and credential for searching LDAP is authenticating).

       

      I have turned on the TRACE level debugging for org.jboss.security.  It is not showing the username it is attempting to authenticate in plain text so I cannot be 100% sure that the username is being propagated properly to the login module.

       

      Attached is my stack trace and a second file with the contents of the relevant "MAAS" tree in Active Directory.  Any help would be most greatly appreciated!

       

      The same Active Directory structure works as-is with all the same users, passwords, and contexts under Glassfish.

       

      Thank you!

      -Wes

        • 1. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
          dlofthouse

          It looks like the security realm for the remote connection is still configured to use the properties file - you need to reconfigure this to delegate to your JAAS domain.

          • 2. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
            wesleydstrickland

            TThanks for your reply Darran!

             

            I have tried that as well without any luck.  A little more information about our setup and how we are connecting from the client... We have the following code to get the remote object from the client:

             

               props = new Properties();

                    props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");

                    props.put(Context.PROVIDER_URL,"remote://localhost:4447");

                    props.put(Context.SECURITY_PRINCIPAL, user);

                    props.put(Context.SECURITY_CREDENTIALS, password);

                    props.put("jboss.naming.client.ejb.context", true);

             

                    //Get the reference to remote object

                    Context ctx = new InitialContext(props);

                    siteSec = (SiteSecurityRemote)ctx.lookup("TargetManagementApplication/SiteSecurityBeans/SiteSecurity!com.gdais.maas.prototype.ejb.SiteSecurityRemote");

             

            In that code the user/password have been added to the ApplicationRealm using the adduser.bat script and this seems to work fine to get the InitialContext.  If I switch the remoting-connector to use the Ldap realm, I immediately get a failure message on the client and no error messages in the server log:

             

            Feb 18, 2013 10:38:15 AM org.jboss.remoting3.remote.RemoteConnection handleException

            ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

            javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]

             

            If I leave the remoting-connector using the ApplicationRealm, I get the InitialContext with no issues.  The first time I try to invoke a method from the client using this object, "siteSec", it then seems to invoke the Ldap security domain and produce the stack trace that I attached to my original message.

             

            To force the first EJB call to use the "LDAP" security domain, we have added a jboss-ejb3.xml file into our deployed ear that looks like the following:

             

            <?xml version="1.1" encoding="UTF-8"?>

            <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"

                           xmlns="http://java.sun.com/xml/ns/javaee"

                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                           xmlns:c="urn:clustering:1.0"

                           xmlns:s="urn:security"

                           xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"

                           version="3.1"

                           impl-version="2.0">

                <assembly-descriptor>

                <s:security>

                    <ejb-name>*</ejb-name>

                    <s:security-domain>LDAP</s:security-domain>

                </s:security>

                </assembly-descriptor>

            </jboss:ejb-jar>

             

            In standalone.xml I have added the "LDAPRealm" security realm:

             

            <management>

                    <security-realms>

                        <security-realm name="ManagementRealm">

                            <authentication>

                                <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                            </authentication>

                        </security-realm>

                        <security-realm name="ApplicationRealm">

                            <authentication>

                                <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                            </authentication>

                        </security-realm>

                        <security-realm name="LDAPRealm">

                            <authentication>

                                <jaas name="LDAP"/>

                            </authentication>

                        </security-realm>

                    </security-realms>

                    <management-interfaces>

                        <native-interface security-realm="ManagementRealm">

                            <socket-binding native="management-native"/>

                        </native-interface>

                        <http-interface security-realm="ManagementRealm">

                            <socket-binding http="management-http"/>

                        </http-interface>

                    </management-interfaces>

                </management>

             

            My security subsystem in standalone.xml looks like this:

             

            <subsystem xmlns="urn:jboss:domain:security:1.1">

                        <security-domains>

                            <security-domain name="other" cache-type="default">

                                <authentication>

                                    <login-module code="Remoting" flag="optional">

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                    </login-module>

                                    <login-module code="RealmUsersRoles" flag="required">

                                        <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

                                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

                                        <module-option name="realm" value="ApplicationRealm"/>

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                    </login-module>

                                </authentication>

                            </security-domain>

                            <security-domain name="LDAP" cache-type="default">

                                <authentication>

                                    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                        <module-option name="java.naming.provider.url" value="ldap://<ip address>:389"/>

                                        <module-option name="java.naming.security.authentication" value="simple"/>

                                        <module-option name="bindDN" value="CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo"/>

                                        <module-option name="bindCredential" value="Password1!"/>

                                        <module-option name="baseCtxDN" value="OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo"/>

                                        <module-option name="rolesCtxDN" value="OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo"/>

                                        <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                        <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                                        <module-option name="roleAttributeID" value="memberOf"/>

                                        <module-option name="roleAttributeIsDN" value="true"/>

                                        <module-option name="roleNameAttributeID" value="cn"/>

                                        <module-option name="roleRecursion" value="0"/>

                                        <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                        <module-option name="allowEmptyPasswords" value="false"/>

                                        <module-option name="throwValidateError" value="true"/>

                                        <module-option name="Context.REFERRAL" value="follow"/>

                                        <module-option name="defaultRole" value="maas-users"/>

                                    </login-module>

                                </authentication>

                            </security-domain>

                            <security-domain name="jboss-web-policy" cache-type="default">

                                <authorization>

                                    <policy-module code="Delegating" flag="required"/>

                                </authorization>

                            </security-domain>

                            <security-domain name="jboss-ejb-policy" cache-type="default">

                                <authorization>

                                    <policy-module code="Delegating" flag="required"/>

                                </authorization>

                            </security-domain>

                        </security-domains>

                    </subsystem>

             

            I was hoping to leave the remoting-connector set to the ApplicationRealm as a way to debug the LDAP configuration since this was the only way I could get it to seemingly actually invoke the LDAP login module.  I am not sure if mixing the two is even allowed?

             

            Thanks for your help!!

            -Wes

            • 3. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
              wesleydstrickland

              Another interesting test, is if I explicitly put in the username I am attempting to authenticate in LDAP directly into the baseFilter I get much farther in the stack trace.  So as a test, attempting to authenticate as user with username 'alluser' if I put in the following in standalone.xml:

               

              <module-option name="baseFilter" value="(sAMAccountName=alluser)"/>

              <module-option name="roleFilter" value="(sAMAccountName=alluser)"/>

               

              The stack trace seems to make it farther.  It is as if the password is not being propagated all the way to the LdapExtLoginModule for some reason?  Or maybe even the Principal itself isn't being grabbed correctly.

               

              11:35:04,752 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 1) Begin isValid, principal:3fc70f76-0594-4a72-856d-e444e6c1c721, cache entry: null

              11:35:04,753 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 1) defaultLogin, principal=3fc70f76-0594-4a72-856d-e444e6c1c721

              11:35:04,755 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1) Begin getAppConfigurationEntry(LDAP), size=4

              11:35:04,760 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1) End getAppConfigurationEntry(LDAP), authInfo=AppConfigurationEntry[]:

               

              [0]

              LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule

              ControlFlag: LoginModuleControlFlag: required

              Options:

              name=defaultRole, value=maas-users

              name=baseFilter, value=(sAMAccountName=alluser)

              name=bindDN, value=CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo

              name=rolesCtxDN, value=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo

              name=roleNameAttributeID, value=cn

              name=Context.REFERRAL, value=follow

              name=roleRecursion, value=2

              name=baseCtxDN, value=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo

              name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory

              name=java.naming.security.authentication, value=simple

              name=allowEmptyPasswords, value=false

              name=roleFilter, value=(sAMAccountName=alluser)

              name=java.naming.provider.url, value=ldap://10.112.200.154:389

              name=bindCredential, value=****

              name=roleAttributeIsDN, value=true

              name=searchScope, value=SUBTREE_SCOPE

              name=roleAttributeID, value=memberOf

              name=throwValidateError, value=true

               

              11:35:04,767 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) initialize

              11:35:04,767 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) Security domain: LDAP

              11:35:04,768 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) login

              11:35:04,769 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) Logging into LDAP server, env={throwValidateError=true, Context.REFERRAL=follow, baseFilter=(sAMAccountName=alluser), allowEmptyPasswords=false, defaultRole=maas-users, java.naming.security.credentials=***, jboss.security.security_domain=LDAP, java.naming.security.authentication=simple, baseCtxDN=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, roleAttributeIsDN=true, rolesCtxDN=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, java.naming.security.principal=CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo, searchScope=SUBTREE_SCOPE, roleRecursion=2, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(sAMAccountName=alluser), roleNameAttributeID=cn, java.naming.provider.url=ldap://10.112.200.154:389, roleAttributeID=memberOf, bindDN=CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo, bindCredential=***}

              11:35:04,787 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) Logging into LDAP server, env={throwValidateError=true, Context.REFERRAL=follow, baseFilter=(sAMAccountName=alluser), allowEmptyPasswords=false, defaultRole=maas-users, java.naming.security.credentials=***, jboss.security.security_domain=LDAP, java.naming.security.authentication=simple, baseCtxDN=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, roleAttributeIsDN=true, rolesCtxDN=OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, java.naming.security.principal=CN=alluser,OU=Users,OU=MAAS,DC=jee,DC=maas,DC=demo, searchScope=SUBTREE_SCOPE, roleRecursion=2, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(sAMAccountName=alluser), roleNameAttributeID=cn, java.naming.provider.url=ldap://10.112.200.154:389, roleAttributeID=memberOf, bindDN=CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=jee,DC=maas,DC=demo, bindCredential=***}

              11:35:04,808 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] (EJB default - 1) Bad password for username=3fc70f76-0594-4a72-856d-e444e6c1c721: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece


              at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) [rt.jar:1.7.0_07]

              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) [rt.jar:1.7.0_07]

              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) [rt.jar:1.7.0_07]

              at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) [rt.jar:1.7.0_07]

              at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_07]

              at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_07]

              at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_07]

              at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_07]

              at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_07]

              at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_07]

              at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_07]

              at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_07]

              at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_07]

              at org.jboss.security.auth.spi.LdapExtLoginModule.constructInitialLdapContext(LdapExtLoginModule.java:655) [picketbox-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.auth.spi.LdapExtLoginModule.bindDNAuthentication(LdapExtLoginModule.java:511) [picketbox-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:438) [picketbox-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:312) [picketbox-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_07]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_07]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_07]

              at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07]

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_07]

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_07]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_07]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_07]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07]

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_07]

              at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_07]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:306) [jboss-as-security-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:272) [jboss-as-security-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:45) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07]

              at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:74) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:32) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

              at com.gdais.maas.prototype.ejb.SiteSecurityLocal$$$view2.getValidLabelValues(Unknown Source) [SiteSecurityBeansClient.jar:]

              at com.gdais.maas.prototype.ejb.TargetManagement.getTargetList(TargetManagement.java:149) [TargetManagementBeans.jar:]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_07]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_07]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_07]

              at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07]

              at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]

              at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.
              • 4. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
                dlofthouse

                In that code the user/password have been added to the ApplicationRealm using the adduser.bat script and this seems to work fine to get the InitialContext.  If I switch the remoting-connector to use the Ldap realm, I immediately get a failure message on the client and no error messages in the server log:

                 

                Feb 18, 2013 10:38:15 AM org.jboss.remoting3.remote.RemoteConnection handleException

                ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]

                 

                To overcome this you need to configure the client to allow sending the password in the clear, try adding the following property for JNDI: -

                 

                props.setProperty("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

                • 5. Re: Trouble Authenticating User using LdapExtLoginModule with Active Directory server
                  wesleydstrickland

                  Thanks for your reply Darran.  It is working now with RMI, and adding that above property was one of the things that was needed.  We also had to add the "Remoting" login-module to our LDAP security domain before the LdapExtended module to get things to work as well.  So our standalone.xml security subsystem now looks like this:

                   

                  <subsystem xmlns="urn:jboss:domain:security:1.1">

                              <security-domains>

                                  <security-domain name="other" cache-type="default">

                                      <authentication>

                                          <login-module code="Remoting" flag="optional">

                                              <module-option name="password-stacking" value="useFirstPass"/>

                                          </login-module>

                                          <login-module code="RealmUsersRoles" flag="required">

                                              <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

                                              <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

                                              <module-option name="realm" value="ApplicationRealm"/>

                                              <module-option name="password-stacking" value="useFirstPass"/>

                                          </login-module>

                                      </authentication>

                                  </security-domain>

                                  <security-domain name="LDAP" cache-type="default">

                                      <authentication>

                                          <login-module code="Remoting" flag="optional">

                                              <module-option name="password-stacking" value="useFirstPass"/>

                                          </login-module>

                                          <login-module code="LdapExtended" flag="required">

                                              <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                              <module-option name="java.naming.provider.url" value="ldap://hopper.rd.ideas.gd-ais.com:389"/>

                                              <module-option name="java.naming.security.authentication" value="simple"/>

                                              <module-option name="bindDN" value="CN=maas-svc,OU=ServiceAccounts,OU=MAAS,DC=JEE,DC=MAAS,DC=DEMO"/>

                                              <module-option name="bindCredential" value="Password1!"/>

                                              <module-option name="baseCtxDN" value="OU=Users,OU=MAAS,DC=JEE,DC=MAAS,DC=DEMO"/>

                                              <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                                              <module-option name="rolesCtxDN" value="OU=Groups,OU=MAAS,DC=JEE,DC=MAAS,DC=DEMO"/>

                                              <module-option name="roleFilter" value="(member={1})"/>

                                              <module-option name="roleAttributeID" value="cn"/>

                                              <module-option name="roleAttributeIsDN" value="true"/>

                                              <module-option name="roleNameAttributeID" value="cn"/>

                                              <module-option name="roleRecursion" value="1"/>

                                              <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                              <module-option name="allowEmptyPasswords" value="false"/>

                                              <module-option name="throwValidateError" value="true"/>

                                          </login-module>

                                      </authentication>

                                  </security-domain>

                                  <security-domain name="jboss-web-policy" cache-type="default">

                                      <authorization>

                                          <policy-module code="Delegating" flag="required"/>

                                      </authorization>

                                  </security-domain>

                                  <security-domain name="jboss-ejb-policy" cache-type="default">

                                      <authorization>

                                          <policy-module code="Delegating" flag="required"/>

                                      </authorization>

                                  </security-domain>

                              </security-domains>

                          </subsystem>

                   

                  Thanks for all your help!  Appreciate it!

                  -Wes