none
Solved: LDAP authentication: error code 49 - 80090308, comment: AcceptSecurityContext error, data 525

    Question

  • Hi,
    I have a problem conneting to another domain (far.away.domain) with a Java program. We have a trust to this domain. Also I can access the DS using ADSI edit and our Administrator account (ourdomain.com).
    Here is a part of the java code:

    String ldapCF = "com.sun.jndi.ldap.LdapCtxFactory";
    String ldapURL = "ldap://far.away.domain:389/";

    String ldapBaseDN = "dc=far,dc=away,dc=domain";

    String ldapUserID = "CN=Administrator,CN=Users,DC=ourdomain,DC=com";
    String ldapPassword = "xxxxx";

    Hashtable env = new Hashtable( 4 );
    try {
     env.put( Context.INITIAL_CONTEXT_FACTORY, ldapCF );
     env.put( Context.PROVIDER_URL, ldapURL + ldapBaseDN );
     env.put( Context.SECURITY_PRINCIPAL, ldapUserID );
     env.put( Context.SECURITY_CREDENTIALS, ldapPassword );

     // Create initial context
     this.ctx = new InitialDirContext( env );
     this.ctls = new SearchControls();
     ctls.setSearchScope( ctls.SUBTREE_SCOPE );
    } catch( NamingException e ) {
     resultVec.addElement( "ERROR: no connection to LDAP server: " + ldapURL + "\n" + e.toString() );
     throw( e );
    }

    Connecting to ourdomain.com is no problem with this code, but to far.away.domain I can't connect, I always get the error 525 (user not found). What could be the problem? Have I to use an entry from the ForeignSecurityPrincipals CN of the far.away.domain?

    Best regards, Nils.

    PS: I've found another thread with a similar problem but there is not really an answer to the problem:

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/474abb8f-cfc6-4cac-af79-c3e80e80291f

    Edit: I tried also connecting with ldapsearch from the command line, but I still can only connect to ourdomain.

    • Edited by der Nils Monday, August 30, 2010 8:43 AM
    Tuesday, July 20, 2010 7:34 AM

Answers

  • Hi,

    Please check the following link's solution to see if the resovles the issue.

    http://forums.devshed.com/ldap-programming-76/javax-naming-authenticationexception-ldap-error-code-49-80090308-ldaperr-dsid--121363.html

    Regards,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Wilson Jia Monday, July 26, 2010 2:37 AM
    Friday, July 23, 2010 7:18 AM
  • You should consider reposting over in the MSDN developer forums.

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Meinolf WeberMVP Sunday, July 25, 2010 9:24 AM
    • Marked as answer by Wilson Jia Monday, July 26, 2010 2:37 AM
    Friday, July 23, 2010 12:20 PM

All replies

  • Hi,

    Please check the following link's solution to see if the resovles the issue.

    http://forums.devshed.com/ldap-programming-76/javax-naming-authenticationexception-ldap-error-code-49-80090308-ldaperr-dsid--121363.html

    Regards,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Wilson Jia Monday, July 26, 2010 2:37 AM
    Friday, July 23, 2010 7:18 AM
  • Hi,

     

    I've tried the username "Administrator @ ourdomain.com" (without the blanks), but this also doesn't work for connection to the far.away.domain.

    It is ok for connectiong to ourdomain.com.

    I also tried to connect using Softerra LDAPBrowser and a command line ldapsearch without succes and with no better error message.

    Any other idea?

     

    Regards, Nils.

    Friday, July 23, 2010 12:08 PM
  • You should consider reposting over in the MSDN developer forums.

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Meinolf WeberMVP Sunday, July 25, 2010 9:24 AM
    • Marked as answer by Wilson Jia Monday, July 26, 2010 2:37 AM
    Friday, July 23, 2010 12:20 PM
  • Hi,

     

    I found the solution for my problem:

    I have to set the authentication type to ADS_SECURE_AUTHENTICATION.

    See also http://msdn.microsoft.com/en-us/library/aa772247%28VS.85%29.aspx

     

    Best regards, Nils.

    Monday, August 30, 2010 8:42 AM