It could be that error code is not identified in LPPE default settings. Back in 3.5.2.1 we had to identify the error codes and what should happen for each. I have not revisited LPPE since we upgraded.
Ray On Tue, 2018-03-13 at 09:00 -0700, casconfiguration casconfiguration wrote: Trying to get CAS version 4.2.1 to recognise and respond correctly to messages from an AD server (LPPE)such as the password must change or the account is locked. >From the CAS log file it is reporting the error 773 for changing a password >but it interprets it as an invalid authentication and presents the user with >an Invalid Credentials message. The complete deployerConfigContext.xml file and cas.log are attached ========================= deployerConfigContext.xml ========================= <?xml version="1.0" encoding="UTF-8"?> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default authentication handler with | one implementing your approach for authenticating usernames and passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:ldaptive="http://www.ldaptive.org/schema/spring-ext" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.ldaptive.org/schema/spring-ext http://www.ldaptive.org/schema/spring-ext.xsd"> <util:map id="authenticationHandlersResolvers"> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> <entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" /> </util:map> <util:list id="authenticationMetadataPopulators"> <ref bean="successfulHandlerMetaDataPopulator" /> <ref bean="rememberMeAuthenticationMetaDataPopulator" /> </util:list> <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="sAMAccountName" c:authenticator-ref="authenticator" p:passwordPolicyConfiguration-ref="passwordPolicyConfiguration"> </bean> <ldaptive:ad-authenticator id="authenticator" ldapUrl="${ldap.url}" userFilter="${ldap.authn.searchFilter}" bindDn="${ldap.managerDn}" bindCredential="${ldap.managerPassword}" allowMultipleDns="${ldap.allowMultipleDns:false}" connectTimeout="${ldap.connectTimeout}" validateOnCheckOut="${ldap.pool.validateOnCheckout}" failFastInitialize="true" blockWaitTime="${ldap.pool.blockWaitTime}" idleTime="${ldap.pool.idleTime}" baseDn="${ldap.baseDn}" maxPoolSize="${ldap.pool.maxSize}" minPoolSize="${ldap.pool.minSize}" validatePeriodically="${ldap.pool.validatePeriodically}" validatePeriod="${ldap.pool.validatePeriod}" prunePeriod="${ldap.pool.prunePeriod}" useSSL="${ldap.use.ssl:false}" subtreeSearch="${ldap.subtree.search:true}" useStartTLS="${ldap.useStartTLS}" /> <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <util:map id="attrRepoBackingMap"> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> <entry> <key><value>memberOf</value></key> <list> <value>faculty</value> <value>staff</value> <value>org</value> </list> </entry> </util:map> <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" /> <alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" /> <alias name="ldapPasswordPolicyConfiguration" alias="passwordPolicyConfiguration" /> <alias name="serviceThemeResolver" alias="themeResolver" /> <alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" /> <alias name="defaultTicketRegistry" alias="ticketRegistry" /> <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" /> <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" /> <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" /> <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" /> <bean id="auditTrailManager" class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" p:entrySeparator="${cas.audit.singleline.separator:|}" p:useSingleLine="${cas.audit.singleline:false}"/> <alias name="neverThrottle" alias="authenticationThrottle" /> <util:list id="monitorsList"> <ref bean="memoryMonitor" /> <ref bean="sessionMonitor" /> </util:list> <alias name="defaultPrincipalFactory" alias="principalFactory" /> <alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" /> <alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" /> <alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" /> </beans> =============== CAS.LOG =============== 2018-03-13 15:12:52,101 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local, ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]], accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null, accountErrors=[PASSWORD_MUST_CHANGE]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 773, v2580 ], controls=null] 2018-03-13 15:12:52,101 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local, ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]], accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null, accountErrors=[PASSWORD_MUST_CHANGE]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 773, v2580 ], controls=null] 2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling error PASSWORD_MUST_CHANGE 2018-03-13 15:12:52,116 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler failed authenticating user1@*****.com 2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler exception details: null 2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [AuthenticationTransaction] for audit 2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [UsernamePasswordCredential] for audit 2018-03-13 15:12:52,116 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: user1@*****.com WHAT: Supplied credentials: [user1@*****.com] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Tue Mar 13 15:12:52 UTC 2018 CLIENT IP ADDRESS: 192.168.0.152 SERVER IP ADDRESS: 192.168.0.11 ============================================================= -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1520958931.1793.46.camel%40uvic.ca.