It could be that error code is not identified in LPPE default settings. Back in 3.5.2.1 we had to identify the error codes and what should happen for each. I have not revisited LPPE since we upgraded.
Ray On Tue, 2018-03-13 at 09:00 -0700, casconfiguration casconfiguration wrote: Trying to get CAS version 4.2.1 to recognise and respond correctly to messages from an AD server (LPPE)such as the password must change or the account is locked. >From the CAS log file it is reporting the error 773 for changing a password >but it interprets it as an invalid authentication and presents the user with >an Invalid Credentials message. The complete deployerConfigContext.xml file and cas.log are attached ========================= deployerConfigContext.xml ========================= <?xml version="1.0" encoding="UTF-8"?> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default authentication handler with | one implementing your approach for authenticating usernames and passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:ldaptive="http://www.ldaptive.org/schema/spring-ext"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:context="http://www.springframework.org/schema/context"; xmlns:p="http://www.springframework.org/schema/p"; xmlns:c="http://www.springframework.org/schema/c"; xmlns:aop="http://www.springframework.org/schema/aop"; xmlns:tx="http://www.springframework.org/schema/tx"; xmlns:util="http://www.springframework.org/schema/util"; xmlns:sec="http://www.springframework.org/schema/security"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.ldaptive.org/schema/spring-ext http://www.ldaptive.org/schema/spring-ext.xsd";> <util:map id="authenticationHandlersResolvers"> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> <entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" /> </util:map> <util:list id="authenticationMetadataPopulators"> <ref bean="successfulHandlerMetaDataPopulator" /> <ref bean="rememberMeAuthenticationMetaDataPopulator" /> </util:list> <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="sAMAccountName" c:authenticator-ref="authenticator" p:passwordPolicyConfiguration-ref="passwordPolicyConfiguration"> </bean> <ldaptive:ad-authenticator id="authenticator" ldapUrl="${ldap.url}" userFilter="${ldap.authn.searchFilter}" bindDn="${ldap.managerDn}" bindCredential="${ldap.managerPassword}" allowMultipleDns="${ldap.allowMultipleDns:false}" connectTimeout="${ldap.connectTimeout}" validateOnCheckOut="${ldap.pool.validateOnCheckout}" failFastInitialize="true" blockWaitTime="${ldap.pool.blockWaitTime}" idleTime="${ldap.pool.idleTime}" baseDn="${ldap.baseDn}" maxPoolSize="${ldap.pool.maxSize}" minPoolSize="${ldap.pool.minSize}" validatePeriodically="${ldap.pool.validatePeriodically}" validatePeriod="${ldap.pool.validatePeriod}" prunePeriod="${ldap.pool.prunePeriod}" useSSL="${ldap.use.ssl:false}" subtreeSearch="${ldap.subtree.search:true}" useStartTLS="${ldap.useStartTLS}" /> <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <util:map id="attrRepoBackingMap"> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> <entry> <key><value>memberOf</value></key> <list> <value>faculty</value> <value>staff</value> <value>org</value> </list> </entry> </util:map> <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" /> <alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" /> <alias name="ldapPasswordPolicyConfiguration" alias="passwordPolicyConfiguration" /> <alias name="serviceThemeResolver" alias="themeResolver" /> <alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" /> <alias name="defaultTicketRegistry" alias="ticketRegistry" /> <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" /> <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" /> <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" /> <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" /> <bean id="auditTrailManager" class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" p:entrySeparator="${cas.audit.singleline.separator:|}" p:useSingleLine="${cas.audit.singleline:false}"/> <alias name="neverThrottle" alias="authenticationThrottle" /> <util:list id="monitorsList"> <ref bean="memoryMonitor" /> <ref bean="sessionMonitor" /> </util:list> <alias name="defaultPrincipalFactory" alias="principalFactory" /> <alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" /> <alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" /> <alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" /> </beans> =============== CAS.LOG =============== 2018-03-13 15:12:52,101 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local, ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]], accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null, accountErrors=[PASSWORD_MUST_CHANGE]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 773, v2580 ], controls=null] 2018-03-13 15:12:52,101 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local, ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]], accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null, accountErrors=[PASSWORD_MUST_CHANGE]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 773, v2580 ], controls=null] 2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling error PASSWORD_MUST_CHANGE 2018-03-13 15:12:52,116 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler failed authenticating user1@*****.com 2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler exception details: null 2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [AuthenticationTransaction] for audit 2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [UsernamePasswordCredential] for audit 2018-03-13 15:12:52,116 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: user1@*****.com WHAT: Supplied credentials: [user1@*****.com] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Tue Mar 13 15:12:52 UTC 2018 CLIENT IP ADDRESS: 192.168.0.152 SERVER IP ADDRESS: 192.168.0.11 ============================================================= -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1520958931.1793.46.camel%40uvic.ca.
