cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X

Problem to authenticate to our Windows Server 2016 AD

isodius
7-Bedrock

Problem to authenticate to our Windows Server 2016 AD

Hello everybody.

We (the Sodius company) provide tooling around Integrity. As such, we run a bunch of virtual machines with Integrity server from 9.6 to 10.9. All of those VMs used to authenticate users to our company old Windows Server 2003 Active Directory. Here is AD related section of the security.properties file:

ldap.host=<windows server host FQDN>

ldap.port=389

ldap.principal=CN=<the unprivlledged user>,OU=collaborateurs,DC=<domain>,DC=<suffix>

ldap.credential=<password>

ldap.user.dn=OU=sodius,OU=collaborateurs,DC=<domain>,DC=<suffix>

ldap.user.objectclass=user

ldap.user.name=sAMAccountName

ldap.user.filter=(&(sAMAccountName=%u)(objectclass=user)(objectcategory=person))

ldap.user.scope=subtree

ldap.group.objectclass=group

ldap.group.name=cn

ldap.group.members=member

ldap.group.filter=(&(cn=%g)(objectclass=group))

ldap.group.dn=OU=sodius,OU=collaborateurs,DC=<domain>,DC=<suffix>

ldap.group.scope=subtree

ldap.member.filter=(|(objectclass=group)(objectclass=user))

ldap.member.dn=%M

ldap.member.scope=base

ldap.ou.objectclass=organizationalUnit

ldap.ou.name=collaborateurs

This has worked for years. Because WS2003 is really old and obsolete, we recently switched to a brand new Windows Server 2016 AD. Our AD structure changed a bit, of course we reflected those changes in the security.properties file. But no way to get a working Integrity Server. We always get a fatal error message:

2017-03-08 09:18:49,920 Service AppConfig not started due to errors: Service mks:name=IM not started due to errors: Unable to start IM service: Unable to authenticate to LDAP server: The credentials presented to the server for authentication are not valid.  (For example, the password sent to the server does not match the user's password in the directory.) [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52e, v3839

2017-03-08 09:18:49,936 Shutdown requested by Configuration service. Reason: Service AppConfig not started due to errors: Service mks:name=IM not started due to errors: Unable to start IM service: Unable to authenticate to LDAP server: The credentials presented to the server for authentication are not valid.  (For example, the password sent to the server does not match the user's password in the directory.) [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52e, v3839

The problem is the credentials used are valid. We tested with 3 differents accounts, same error. I installed some LDAP request tools and they work, credentials are accepted and we can run some requests on the AD. So the problem is really on the Integrity side (10.6 in this case).

Any help would be great, thanks.

2 REPLIES 2
isodius
7-Bedrock
(To:isodius)

Finally found the problem by myself: be careful with password complexity! In my case, the password of the account which runs requests to the AD contains " and this was the cause of the issue.

PTC team, you should do this better.

Hi.

You may want to open a Support case, with some details, so that we can explore if there is a defect here somewhere, or if this is some character encoding issue, etc.

From your description, it sounds like this was the ldap.credential line in the security.properties file, where the password contained " within it?  Was it just the one, or was that placed in the password more than once?

It should parse that out correctly, if it's just a double-quote character.  I know there has been some issues with special characters where encoding was an issue.  I assume the Integrity server, and your Windows AD server, use the same language/character encoding on each, so there isn't some weird encoding translation issue here, between the two?

Open a Support case up, if you'd like to explore that some more.

Top Tags