Solved: What are JNDI adaptor bind password requirements?

CS_2700254 · ‎Aug 08, 2024

I am using Windchill PDMLink Release 11.2 and Datecode with CPS 11.2.0.1

We have a JNDI adaptor to allow us to login using our corporate Active Directory credentials. It has been working fine. Then our IT group imposed a password requirements of 20 characters minimum plus at least one special character, on the bind password for the adaptor. After making the change the Windchill method server will not start - see error below. What are the requirements of the bind password? Are special characters allowed?

Here are the errors that I faced
wt.system.err - javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09050F, comment: AcceptSecurityContext error, data 775, v4563 ]

mmeadows-3 · ‎Aug 10, 2024

@VladimirN was right to provide article https://www.ptc.com/en/support/article/CS28129

From your error message...

wt.system.err - javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09050F, comment: AcceptSecurityContext error, data 775, v4563 ]

"775" means the account is locked. Probably you entered the wrong password too many times and locked out the account. It needs to be unlocked before you can try again.

View solution in original post

VladimirN · ‎Aug 09, 2024

Articles:

""LDAP error code 49" error message in Windchill PDMLink": https://www.ptc.com/en/support/article/CS46189
"Error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data xxx, v893" regarding Active Directory in Windchill": https://www.ptc.com/en/support/article/CS28129

CS_2700254 · ‎Aug 09, 2024

Thanks for the response. I tried using escape character \ and also enclosing in single quotes per the article, but that did not help.

I also tried PTC’s SyntegraLDAPBrowser and LDAPSearch, and get the same Error Code 49.

Any other suggestions on what I can do to resolve?

mmeadows-3 · ‎Aug 10, 2024

First step is to confirm the credentials actually work. If LDAPSearch can't do it, Windchill won't be able to either.

Personally, I've never used Syntegra's LDAP Browser. I use Apache Directory Studio for LDAP validation. It leads you through the connection creation and ensures IT gave you the right information.

Step 1: Enter Server, Port, and Protocol, and Download the LDAP server's SSL Cert if necessary.
Step 2: Enter Credentials to browse the LDAP. Note multiple usernames can work: sAMAccountName, userPrincipalName, full DN.
Step 3: Retrieve/enter the Search base

If you can't get past step 2, then IT gave you the wrong credentials information.

Once connected, you can browse the LDAP and...

Find the DNs for your Windchill Site Administrator, search bases, filter groups, etc.
Ensure accounts have the memberOf attribute is using a filter group
Validate properties that map into Windchill

You said the first issue is the Method Server won't start. That means the credentials in mapCredentials.txt have an issue. I set all my mapCredentials.txt entries at once. That way I am certain there are no remnants from a previous configuration.

xconfmanager -t codebase/WEB-INF/mapCredentials.txt -s mapcredentials.admin.adapters="{adapter name}^{bind DN, username, or email address},{bind password}" --add mapcredentials.admin.adapters="{adapter name}^{bind DN, username, or email address},{bind password}" --add mapcredentials.admin.adapters="{adapter name}^{bind DN, username, or email address},{bind password}"

If you have validated everything else and it still appears to be a special character, most US/UK keyboard special characters (e.g. !@#$%) work. The caret "^" is a problem for mapCredentials.txt.

https://www.ptc.com/en/support/article/CS387628

Escape characters for mapCredenitals.txt...

https://www.ptc.com/en/support/article/CS352881

International language special characters can also be problematic.

https://www.ptc.com/en/support/article/cs17326

Other password related documentation is in the knowledge hub...

https://www.ptc.com/en/support/article/CS374688

If your password includes carets "^" or foreign language special characters, tell IT to change the password again. There are plenty of other special characters on the keyboard that don't cause connection issues.

mmeadows-3 · ‎Aug 10, 2024

@VladimirN was right to provide article https://www.ptc.com/en/support/article/CS28129

From your error message...

wt.system.err - javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09050F, comment: AcceptSecurityContext error, data 775, v4563 ]

"775" means the account is locked. Probably you entered the wrong password too many times and locked out the account. It needs to be unlocked before you can try again.

CS_2700254 · ‎Aug 15, 2024

Just to follow up the issue has been resolved. It was the bind password was locked. Many thanks for all the replies and special thanks to mmeadows-3 for poining out "775" means the account is locked.

HelesicPetr · ‎Aug 20, 2024

Hi @CS_2700254

google https://support.vscope.net/common-error-codes-for-active-directory-authentication

PetrH

CS_2700254 · ‎Aug 20, 2024

Thanks HelesicPetr