Active Directory Authentication in Weblogic 8.1

Similar Messages

• Weblogic with Active Directory Authentication provider problem: DN for user ....: null

  I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
  - I defined an Active Directory Authentication provider
  - changed it's order in the Authentication Providers list so that it comes first
  - set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
  After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
  Here's what I see in the log file:
  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  (the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
  As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com"  in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
  I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
  So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
  I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
  Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
  Here are some other things I tried but did not change anything:
  - the other "msDS-" attributes were not set so I tried initializing them to some value
  - I tried other users defined in AD LDS, not tadmin
  - in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
  - I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
  Any thoughts?
  Thanks.

  I managed to narrow it down: the AD LDS does not support the userAccountControl.
  Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> 

• Unable to find user list in Active Directory Authenticator

  Hi all,
  I am using weblogic 10.3 and want to configure ActiveDirectory Authenticator for my weblogic application. We have one managed srever under admin server . I have configured a Active Directory Authenticator named "ADAuthenticator" and made following changes as per the below values:
  I set the control flag to "OPTIONAL" .
  Security Realms-->myrealm-->Providers-->ADAuthenticator-->Provider Specific
  UserName Attribute : ServiceBEA
  Principal : ServiceBEA
  Host : xxxxxx
  User Search Scope : subtree
  Group From Name Filter : (&(ServiceBEA=%g)(objectclass=group))
  Credential : xxxxxx
  Confirm Credential : xxxxxx
  User From Name Filter : (&(ServiceBEA=%u)(objectclass=user))
  Static Group Name Attribute : ServiceBEA
  User Base DN : values provided as per requirement
  Port : 389
  User Object Class : user
  Use Retrieved User Name as Principal : checked
  Group Base DN : same values as per User Base DN
  Static Group Object Class : group
  Group Membership Searching : unlimited
  Max Group Membership Search Level : 0
  These are my AD settings. After doing this i click on save and then activate changes and then restarted the admin server.
  But the problem is when i login to weblogic console to check the user list under "User and Group" i am unble to find any Active Directory users.
  I don't know where i made the mistake. Can some make me out of this trouble.
  Any help is highly appreciated.
  Thanks in advance !

  Hi Sean,
  Actually we have already a Active Directory with username "ServiceBEA" in our windows server. So i used this "ServiceBEA" as UserName Attribute in weblogic console while creating a Active Directory Authenticator.
  You mean to say that we should go for "sAMAccountName" or what? If that is the case then i have also tested with following values, but still no luck.
  UserName Attribute : sAMAccountName
  Principal : ServiceBEA
  Host : xxxxxx
  User Search Scope : subtree
  Group From Name Filter : (&(sAMAccountName=%g)(objectclass=group))
  Credential : xxxxxx
  Confirm Credential : xxxxxx
  User From Name Filter : (&(sAMAccountName=%u)(objectclass=user))
  Static Group Name Attribute : sAMAccountName
  User Base DN : values provided as per requirement
  Port : 389
  User Object Class : user
  Use Retrieved User Name as Principal : checked
  Group Base DN : same values as per User Base DN
  Static Group Object Class : group
  Group Membership Searching : unlimited
  Max Group Membership Search Level : 0
  Please advise what to be place in case of User Name Attribute.
  Any help is highly appreciated.
  Thanks in advance !

• WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)

  Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
  a managed server using the node manager? I can boot the server without the AD
  authenticator and I can also boot the server using a script and successfully authenticate
  through AD. My AD control flag is set to OPTIONAL and I have also setup a default
  authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
  configuration works fine with weblogic running on W2K, but not on Solaris (it
  looks like the control flag is being ignored). Errors as follows
  ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
  <kernel identity> <> <000000> <FileLo
  gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000415> <System
  has file descriptor limits of - soft: 1,024, hard: 1,024>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000416> <Using e
  ffective file descriptor limit of: 1,024 open sockets/files.>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000418> <Allocat
  ing: 3 POSIX reader threads>
  ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
  <main> <kernel identity> <> <0003
  64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
  Problem instantiating
  Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
  thrown by the getAttribute method of the Dynam
  icMBean for the attribute Credential>
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
  <main> <kernel identity> <> <000
  342> <Unable to initialize the server: Fatal initialization exception
  Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
  instantiating Authentication Providerjavax.management.
  RuntimeOperationsException: RuntimeException thrown by the getAttribute method
  of the DynamicMBean for the attribute Credential
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)

  Solved the problem. The 'domain root' directory specified in the remote start configuration,
  must contain a copy of the file 'SerializedSystemIni.dat' that was created along
  with the domain, in order to boot when an AD authenticator is configured. If an
  AD authenticator is not configured, no file is required. This was not a platform
  specific issue; on Win2K I had configured the 'domain root' remote start parameter
  to point to an existing domain root and not a new directory.
  "Andrew Walker" <[email protected]> wrote:
  >
  Has anyone managed to setup a WLS 7.0 Active Directory authenticator
  and booted
  a managed server using the node manager? I can boot the server without
  the AD
  authenticator and I can also boot the server using a script and successfully
  authenticate
  through AD. My AD control flag is set to OPTIONAL and I have also setup
  a default
  authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
  This
  configuration works fine with weblogic running on W2K, but not on Solaris
  (it
  looks like the control flag is being ignored). Errors as follows
  ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
  <main>
  <kernel identity> <> <000000> <FileLo
  gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000415> <System
  has file descriptor limits of - soft: 1,024, hard: 1,024>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000416> <Using e
  ffective file descriptor limit of: 1,024 open sockets/files.>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000418> <Allocat
  ing: 3 POSIX reader threads>
  ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
  <server01>
  <main> <kernel identity> <> <0003
  64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
  Problem instantiating
  Authentication Providerjavax.management.RuntimeOperationsException:
  RuntimeException
  thrown by the getAttribute method of the Dynam
  icMBean for the attribute Credential>
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of
  the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
  <server01>
  <main> <kernel identity> <> <000
  342> <Unable to initialize the server: Fatal initialization exception
  Throwable: weblogic.security.service.SecurityServiceRuntimeException:
  Problem
  instantiating Authentication Providerjavax.management.
  RuntimeOperationsException: RuntimeException thrown by the getAttribute
  method
  of the DynamicMBean for the attribute Credential
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of
  the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)

• How to display active directory users through weblogic portal Application?

  Hi,
  Does anyone has faced this situation?
  I configured the activedirectory and able to see the users and group in the weblogic console at Security->Realms->Myrealm->users. when I run my portal application,I am able to see only the users that are configured in embedded weblogic LDAP ie, I can see only the users weblogic,portaladmin and yahooadmin that are of defaultauthenticator provider.I need to display the active directory users also in our portal.
  I have two doubts on this?
  1)Is it I need to write custom code to view the active directory users in our portal?
  2)Does I need to use any jars that supports active directory authenticator?
  I would appreciate if any one can reply on this with helpfull docs/information.
  We are using BEA 8.1 SP4.
  Windows 2000.
  Surendra

  Hi,
  I too have a similar kind of requirement, i use a jsp to do this activity, but i get an exception, i have shown the entire jsp code below,
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <%@ page import="java.util.Set" %>
  <%@ page import="javax.naming.Context" %>
  <%@ page import="weblogic.jndi.Environment" %>
  <%@ page import="weblogic.management.MBeanHome" %>
  <%@ page import="weblogic.management.configuration.DomainMBean" %>
  <%@ page import="weblogic.management.configuration.SecurityConfigurationMBean" %>
  <%@ page import="weblogic.management.security.RealmMBean" %>
  <%@ page import="weblogic.management.security.authentication.AuthenticationProviderMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserPasswordEditorMBean" %>
  <%@ page import="weblogic.security.providers.authentication.LDAPAuthenticatorMBean" %>
  <%@ page import="weblogic.management.configuration.EmbeddedLDAPMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserEditorMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserReaderMBean" %>
  <%@ page import="weblogic.management.security.authentication.GroupReaderMBean" %>
  <%@ page import="weblogic.management.utils.ListerMBean" %>
  <%@ page import="javax.management.MBeanException" %>
  <%@ page import="javax.management.modelmbean.RequiredModelMBean" %>
  <%@ page import="examples.security.providers.authentication.manageable.*" %>
  <%@ page import="weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBean" %>
  <%@ page import="weblogic.management.utils.InvalidParameterException" %>
  <%@ page import="weblogic.management.utils.NotFoundException" %>
  <%@ page import="weblogic.security.SimpleCallbackHandler" %>
  <%@ page import="weblogic.servlet.security.ServletAuthentication"%>
  <%!
  private String makeErrorURL(HttpServletResponse response,
  String message)
  return response.encodeRedirectURL("welcome.jsp?errormsg=" + message);
  %>
  <html>
  <head>
  <title>Password Changed</title>
  </head>
  <body>
  <h1>Password Changed</h1>
  <%
  // Note that even though we are running as a privileged user,
  // response.getRemoteUser() still returns the user who authenticated.
  // weblogic.security.Security.getCurrentUser() will return the
  // run-as user.
  System.out.println("------------------------------------------------------------------");
  String username = request.getRemoteUser();
  System.out.println("User name -->"+username);
  // Get the arguments
  String currentpassword = request.getParameter("currentpassword");
  System.out.println("Current password -->"+currentpassword);
  String newpassword = request.getParameter("newpassword");
  System.out.println("New password -->"+newpassword);
  String confirmpassword = request.getParameter("confirmpassword");
  System.out.println("Confirm password -->"+confirmpassword);
  // Validate the arguments
  if (currentpassword == null || currentpassword.length() == 0 ||
  newpassword == null || newpassword.length() == 0 ||
  confirmpassword == null || confirmpassword.length() == 0) { 
  response.sendRedirect(makeErrorURL(response, "Password must not be null."));
  return;
  if (!newpassword.equals(confirmpassword)) {
  response.sendRedirect(makeErrorURL(response, "New passwords did not match."));
  return;
  if (username == null || username.length() == 0) {
  response.sendRedirect(makeErrorURL(response, "Username must not be null."));
  return;
  // First get the MBeanHome
  String url = request.getScheme() + "://" +
  request.getServerName() + ":" +
  request.getServerPort();
  System.out.println("URL -->"+url);
  Environment env = new Environment();
  env.setProviderUrl(url);
  Context ctx = env.getInitialContext();
  MBeanHome mbeanHome = (MBeanHome) ctx.lookup(MBeanHome.LOCAL_JNDI_NAME);
  System.out.println("MBean home obtained....");
  DomainMBean domain = mbeanHome.getActiveDomain();
  SecurityConfigurationMBean secConf = domain.getSecurityConfiguration();
  // Sar
  EmbeddedLDAPMBean eldapBean = domain.getEmbeddedLDAP();
  System.out.println("Embedded LDAP Bean obtained...."+eldapBean );
  RealmMBean realm = secConf.findDefaultRealm();
  System.out.println("RealmMBean obtained....");
  AuthenticationProviderMBean authenticators[] = realm.getAuthenticationProviders();
  System.out.println("AuthProvMBean obtained....");
  // Now get the UserPasswordEditorMBean
  // This code will work with any configuration that has a
  // UserPasswordEditorMBean.
  // The default authenticator implements these interfaces
  // but other providers could work as well.
  // We try each one looking for the provider that knows about
  // this user.
  boolean changed=false;
  UserPasswordEditorMBean passwordEditorMBean = null;
  System.out.println("UserPwdEdtMBean obtained....");
  //System.out.println("Creating MSAI....");
  //ManageableSampleAuthenticatorImpl msai =
  // new ManageableSampleAuthenticatorImpl(new RequiredModelMBean());
  //System.out.println("Done....");
  for (int i=0; i<authenticators.length; i++) {
  System.out.println("### Authenticator --->"+authenticators);
  if (authenticators[i] instanceof ActiveDirectoryAuthenticatorMBean)
  ActiveDirectoryAuthenticatorMBean adamb =
  (ActiveDirectoryAuthenticatorMBean)authenticators[i];
  System.out.println("### ActiveDirectoryAuthenticatorMBean .....");
  String listers = adamb.listUsers("*",0);
  while(adamb.haveCurrent(listers))
  System.out.println("### ActiveDirectoryAuthenticatorMBean user advancement.....");
  adamb.advance(listers);
  if (authenticators[i] instanceof UserPasswordEditorMBean) {
  passwordEditorMBean = (UserPasswordEditorMBean) authenticators[i];
  System.out.println("Auth match ...."+passwordEditorMBean);
  try {
  // Now we change the password
  // Sar comment
  System.out.println("Password changed....");
  //passwordEditorMBean.changeUserPassword(username,
  // currentpassword, newpassword);
  changed=true;
  // Sar Comment
  catch (InvalidParameterException e) {
  response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
  return;
  catch (NotFoundException e) {
  catch (Exception e) {
  response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
  return;
  // Sar code
  LDAPAuthenticatorMBean ldapBean = null;
  UserReaderMBean urMBean = null;
  UserEditorMBean ueMBean = null;
  GroupReaderMBean gMBean = null;
  //ListerMBean lBean = null;
  try
  if (authenticators[i] instanceof LDAPAuthenticatorMBean)
  ldapBean = (LDAPAuthenticatorMBean) authenticators[i];
  String userFilter = ldapBean.getAllUsersFilter();
  System.out.println("userFilter ="+userFilter);
  if (authenticators[i] instanceof UserEditorMBean)
  try
  System.out.println("UserEditorMBean...");
  ueMBean = (UserEditorMBean) authenticators[i];
  System.out.println("List users..."+ueMBean);
  boolean b = ueMBean.userExists("webuser");
  System.out.println("User Exists->>>"+b);
  String cursor = ueMBean.listUsers("webuser", 2);
  System.out.println("List User ----->"+cursor);
  catch(InvalidParameterException e)
  response.sendRedirect(makeErrorURL(response, "ERROR InvalidParameterException:" + e));
  catch(java.lang.reflect.UndeclaredThrowableException e)
  response.sendRedirect(makeErrorURL(response, "ERROR UndeclaredThrowableException :" + e));
  e.printStackTrace();
  catch(Exception e)
  response.sendRedirect(makeErrorURL(response, "ERROR LBean:" + e));
  catch(Exception ex)
  ex.printStackTrace();
  response.sendRedirect(makeErrorURL(response, "ERROR:" + ex));
  return;
  if (passwordEditorMBean == null) {
  response.sendRedirect(makeErrorURL(response, "Internal error: Can't get UserPasswordEditorMBean."));
  return;
  System.out.println("pwd changed ->"+changed);
  if (!changed) {
  // This happens when the current user is not known to any providers
  // that implement UserPasswordEditorMBean
  response.sendRedirect(makeErrorURL(response,
  "No password editors know about user " + username + "."));
  return;
  %>
  User <%= username %>'s password has been changed!
  <br>
  <br>
  </body>
  </html>
  Here is the console log
  User name -->webuser
  Current password -->i
  New password -->u
  Confirm password -->u
  URL -->http://localhost:7011
  MBean home obtained....
  Embedded LDAP Bean obtained....[Caching Stub]Proxy for mydomain:Name=mydomain,Type=EmbeddedLDAP
  RealmMBean obtained....
  AuthProvMBean obtained....
  UserPwdEdtMBean obtained....
  ### Authenticator --->Security:Name=myrealmDefaultAuthenticator
  Auth match ....Security:Name=myrealmDefaultAuthenticator
  Password changed....
  UserEditorMBean...
  List users...Security:Name=myrealmDefaultAuthenticator
  User Exists->>>true
  java.lang.reflect.UndeclaredThrowableException
  at $Proxy1.listUsers(Unknown Source)
  at jsp_servlet.__updatepassword._jspService(__updatepassword.java:411)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
  at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.jav
  a:1006)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:463)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletC
  ontext.java:6718)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:37
  64)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  Caused by: javax.management.MBeanException
  at weblogic.management.commo.CommoModelMBean.invoke(CommoModelMBean.java:551)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1560)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1528)
  at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.j
  ava:988)
  at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:946)
  at weblogic.management.commo.CommoProxy.invoke(CommoProxy.java:365)
  ... 14 more
  ### Authenticator --->Security:Name=myrealmDefaultIdentityAsserter
  pwd changed ->true
  Can u pls let me know how to get all the entries from LDAP.
  Thanx
  Sar

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• Active Directory Authentication and permissions for user group in APEX 4.0

  Hello,
  I am new to oracle APEX and I have searched the forum for active directory authentication for a user group and I am really confused about all the different threads. Can anyone please provide me the steps to follow; in order to implement AD authentication for a user group in Oracle APEX 4.0.
  These are the threads which i was looking at to get an idea like how AD authentication works but its really confusing for me.
  Help with Authentication (APEX_LDAP.AUTHENTICATE)
  Re: LDAP Authentication Via Groups
  Thanks,
  Tony

  You need to give it more than 30 minutes before bumping your own post. This is not an official support channel, so you need to be patient and wait for people to read, think and respond.

• How to integrate Active Directory with Oracle Weblogic

  hi
  is there any Oracle Document that descripes how to integrate the LDAP Active directory with Oracle Weblogic 10.3
  Regards
  Edited by: qasas on 28-Nov-2009 13:56

  weblogic docs (and there identity asserters) - http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html

• WebLogic 10.3.3.0 MS Active Directory Authentication steps

  Hi everyone.
  I'm trying to configure WLS with Active Directory provider, to give my application security.
  For now I can see the users and the groups correctly in the administration console, but when i go to my application I can`t login with any user of my active directory.
  I think i miss some step.
  Please can some one giveme the steps to configure the securityrealm.
  Thanks in Advance.
  Cristian.

  Hi Cristian
  1. I hope you already restarted the server after configuring the AD.
  2. When you restarted, please make sure there NO errors in the log files and in the command window from where you run startWeblogic.cmd. Just incase if you miss or give wrong info for AD like host, port, username, pwd etc, you should see errors like could NOT connect to LDAP etc. Incase if you DO NOT see any errors, then only things you need to cross check are userbasedn and groupbasedn values. These are the important values that actually bring the users/groups from these heirarchies. So if possible using any open source LDAP client first connect to AD and for couple of users and groups get full dn and cross check with what you configured in WLS console.
  3. Just for reference here are some old posts. Hopefully you did all this, if not please refer these posts of mine:
  Re: LDAP Configuration
  Thanks
  Ravi Jegga

• Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

  We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
  The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
  Additional technical information:
  Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
  Timestamp: 2015-04-14 12:27:20Z
  AADSTS50020:
  User account '[email protected]' from external
  identity provider 'live.com' is not supported for application
  'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
  be added as an external user in the tenant. Please sign out and sign in
  again with an Azure Active Directory user account.
  It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

  I assume you created a web application using VS2013 which uses the WS-Federation protocol.
  The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
  For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
  The user will need to either sign-out or use an in-private session in the browse.
  If you switch to openID connect(sample at
  https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

• Active Directory Authentication, AFP Home Folders in the wrong place!

  Hi,
  I've had this problem off and on... that is, it comes and goes, so I'm not really able to effectively troubleshoot it. My setup is this:
  -Xserve G5, Mac OS X Server 10.4.7
  -OD Master bound to AD for authentication
  -Hosts AFP and SMB shares, all stored on Xserve RAID
  On the RAID, I have a folder called Users (/Volumes/XserveRAID/Users) that is shared via AFP. The system Users folder (/Users) is not shared. In fact, nothing at all on the root drive is shared. All share points are on /Volumes/XserveRAID/. All Mac users' home directory profiles are pointed to \\servername\Users\username (in Active Directory Users and Computers application on our domain controller). Their home directories mount automatically when they log into their client machines (also bound to AD).
  The problem is this; at seemingly random times, a user's home folder will all of a sudden be created in /Users on the server, and it will not use the /Volumes/XserveRAID/Users/ folder. I will clean out /Users every now and again, but the errant home folders show back up. The only folder that should be in /Users is the local admin.
  Since /Users is not even shared, how is it doing this? Why is it that sometimes the /Volumes/XserveRAID/Users share is used (I know this because there are users' files in their folders in the proper place) and sometimes it's going to /Users? Any ideas? Thanks in advance!!
  Going slightly mad,
  Jason

  Hi there,
  Just wanted to share my make-due solution.
  I have setup the automount sharepoint at "/Data/Home".
  When I logged in or tried to use createhomedir in terminal, nothing happened but users could login (even though there was no home folder on the sharepoint for them).
  I have created the Home Folders manually "/Data/Home/username" and then logged in again. When I did this it created two folders in the home dir:
  -Desktop
  -Library
  The other icons related to the home dir on the Dock remain big "?" 's.
  So I manually added them and assigned them the propper rights.
  Now users can log in without any problems, network home folders are working.
  So essentially I got thing s to work, luckily I have only a hand full of Mac Users, Imagine having a user base in the hundreds !
  Thinking about this really makes me want to know how I can fix this problem, I have a make shift solution but this really isn't the way to go. When I use the createhomedir command, it says "creating homedir on servername.domain.net" and it seems to be busy for like 20 - 30 secs, but after that nothing has changed.
  I've checked all possible locations on the server (i thought maybe it might have made local accounts on server by accident, but it didn't.)
  If anyone has ANY idea, please share.
  Thx!!
  Have a nice day

• Active Directory authentication, OS X network homes on Xserve

  Hi
  I'm looking for a general guide/tips for our deployment of OS X in our Windows network.
  Everyone in our institution has an Active Directory account.
  We also have an Xserve 10.4.4 running as an OD Master with 400 accounts for people who use Macs. It shares out OS X network home folders for these accounts. This means these people have a seperate AD and OD account.
  We aim to get these users authenticating with AD on the Macs and seeing a network home that will ultimately be a combination of an OS X folder (Public, Sites) and a Windows folder (My documents etc.)
  We can backup the data in their existing OS X home folders for them to pull into the new homes that will be created for them through AD authentication.
  We can successfully bind the Xserve and client Macs to AD. We have a group of AD users in WGM. MCX preferences are enforced at computer level.
  The big questions are:
  How do we tackle the mapping of a (OS X/Windows combo) home folder stored on the Xserve for new Active Directory accounts when they are created?
  What could we do with AD/OD current users existing Active Directory folders when they start to use AD to authenticate on the Macs (current OS X home data will be backed up and pulled in to new OS X accounts later) ?
  Do we definately need Kerberos running on the Windows server ?
  What would happen to an existing AD/Windows-only user with a Windows folder mapped to an SMB/Windows server share if they authenticated to OS X for the first time - local home creation (default/forced) ?
  Any advice appreciated - we have Windows/Mac people working in harmony here and we're close to what we want!
  Many Thanks

  Try this (on the client computer):
  Login locally using a user with administrator privileges.
  Connect to your office's wireless network, save the credentials, and then make sure you check the "Connect automatically" checkbox.
  Open a command prompt window and type the following command to find the profile name of your wireless network: netsh
  wlan show profiles
  Let's say the profile to use in the example is "office-network". Open regedit and
  look for the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Create a new String Value (REG_SZ) at that location, and name it anything you want (i.e. WIFI_Connect), and enter the following command string: %comspec%
  /c netsh wlan connect name="<profile name>" where profile name in our example would be "office-network".
  Reboot the laptop for this to take effect.
  If it still doesn't work or fails to connect to your office network at pre-logon, try enabling the following Local Group Policy (using gpedit.msc): Computer
  Configuration\Policies\Administrative templates\System\Logon\Always wait for the network at computer startup and logon.
  These step still require the wireless network to be your domain network as Windows can only Cache 50 credentials maximum.
  Don't forget to mark the post that solved your issue as &quot;Answered.&quot; By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• Web-controller Active Directory authentication

  We have a 10.5.7 xserve as our Podcast Producer server. The server is tied to Active Directory for authentication. I just recently installed the web controller. When I authenticate with a local server account, I get in just fine. But, when I try to authenticate to the web controller with an AD account it fails.
  Now I know that since 10.5.6 in Podcast Capture I have had to select "single sign-on" in the app's preferences. Does anyone know if there is something similar in the web controller?

  I figured it out. May not be the perfect solution, but it works until 10.5.8.
  In /Library/Preferences/com.apple.pcastserverd.plist
  Find the following:
  <key>httpauthtype</key>
  <array>
  <string>basic</string>
  <string>digest</string>
  <string>kerberos</string>
  </array>
  Change to:
  <key>httpauthtype</key>
  <array>
  <string>basic</string>
  </array>
  Restart PCP:
  sudo launchctl unload /System/Library/LaunchDaemons/com.apple.pcastserverd.plist
  sudo launchctl load /System/Library/LaunchDaemons/com.apple.pcastserverd.plist
  Log into your server with an AD account at https://server.domain:8143

• Oracle database and Windows Active directory authentication

  Hello,
  Our developers have created a couple of web apps which look at our oracle database. Presently they use the APPS user and the user/password is hard coded into the config files.
  Is it possible to authenticate these using Windows Active Directory instead? Is it possible to use AD authentication for all developer access to the database?
  I'm trying to research this on the web but getting very confused. Would a lot of work be involved to get this up and running?
  Is anyone able to offer and advise?
  Thank you very much
  Sarah

  I don't have experience in joining a Linux system with Windows AD, and it generally does not sound like the best idea to me, but since Oracle Enterprise Linux is a clone of Red Hat Enterprise Linux, the solution you are looking for could be called Winbind.
  Perhaps the following links are useful:
  http://spiralbound.net/blog/2007/04/11/rhel-winbind-authentication-against-active-directory
  http://www.linuxmail.info/active-directory-integration-samba-centos-5/
  http://magazine.redhat.com/2007/11/12/tips-and-tricks-how-can-i-configure-winbind-to-synchronize-user-and-group-ids-across-multiple-red-hat-enterprise-linux-hosts-on-active-directory-accounts/

• Windows Active Directory Authentication

  Hi Experts,
  I have an enterprise application running in a clustered environment. The jars are diployed in jboss and wars in tomcat servers. The requirement is to authenticate users with thier Windows username/password with active directory itself and depending upon their roles give access to various functionalities in the application. Could someone guide on how the windows authentication should be done?
  Thanks

  We were able to successfully enable the Windows AD Authentication.
  Section 4 would be on the SIA's or server tier. Sections 5,6,and 7 would be for the Java Web app server or web tier.
  We got an error when trying to enable SSO though.
  The server encountered an internal error (com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "account@domian_name" but not key type (18) + KVNO (32) in this entry: Principal: [1] account@domain_name TimeStamp: Wed Dec 31 19:00:00 COT 1969 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [......] )) that prevented it from fulfilling this request.
  We disabled the SSO for the time being, but the Windows AD works fine.