Re: [cas-user] FastBind failure

Tue, 26 Jan 2010 07:26:20 -0800

Also, I was wondering which registry parameters to set on the Microsoft AD 
Server so that I can see what the Active Directory is seeing during the
transaction?



What we did during our debugging phase was to setup the CAS -> AD link to a 
single AD server, with ldap in clear text (ie. not ldaps). Then we used 
packet captures on the Linux box running CAS and looked at the ldap 
connections to our AD server with Wireshark...(you could also do this on the 
AD server if you're more comfortable there)  Once we got everything working 
we installed an ssl cert on the AD servers, reconfigured the CAS ldap 
context source beans to use ldaps, and now our ldap binds and queries are 
secured.


Johan



----- Original Message ----- 
From: "Marvin Addison" <[email protected]>

To: <[email protected]>
Sent: Tuesday, January 26, 2010 7:05 AM
Subject: Re: [cas-user] FastBind failure



2010-01-25 13:16:11,994 DEBUG

[org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - 
Performing

LDAP bind with credential: sAMAccountName=mtromp,
cn=Users,dc=ci,dc=ventura,dc=ca,dc=us


I noted there is a space in the DN above.  Could you change the filter
property of the fast bind handler such that there are no spaces and
try again?


Also, I was wondering which registry parameters to set on the Microsoft 
AD

Server so that I can see what the Active Directory is seeing during the
transaction?


I asked our Microsoft domain admins and they said there is an "audit
failed authentication" security policy you can enable to see more
detail in the security log.  I believe
http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html
shows a screenshot.  They claimed that failures include an error code
that you can search for that will indicate the exact cause of failure.
I don't know whether those code are LDAP error codes or not
(http://support.microsoft.com/kb/218185); if they are LDAP codes I
would expect one of the following:

- 0x31 (49) - Bad credential (wrong password)
- 0x20 (32) - Object not found (can't find the DN you provided)

M

--

You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user 



--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user






















					Reply via email to