我在基于Active Directory(Windows Server 2008 R2)和Java实现正确身份验证时遇到问题。
假设的流量是在AD中禁用帐户时(属性→帐户→帐户选项→“帐户被禁用”复选框),我在使用com.sun.jndi.ldap.LdapCtxFactory进行连接时应从AD获得以下例外:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 533, v1db1
此533告诉我该帐户已被锁定/停用。它工作正常 - 至少在我的开发环境中。启用/禁用帐户会立即更改身份验证结果。
然而,它不能在客户机器的生产环境中工作......我可以成功创建InitialContext(无533)但在成功之后的一小时搜索操作 bind以错误结束,我没有必要的授权来执行查找。
在Active Directory配置中要查找什么?我没有任何池和任何AD复制......
[编辑]:Wireshark转储
这是绑定到已禁用帐户的请求(仅解码LDAP协议):
0000 30 50 02 01 01 60 4b 02 01 03 04 3c 43 4e 3d 67 0P...`K....<CN=g
0010 72 7a 65 67 6f 72 7a 20 67 72 7a 79 62 65 6b 2c rzegorz grzybek,
0020 63 6e 3d 75 73 65 72 73 2c 64 63 3d xx xx xx xx cn=users,dc=xxxx
0030 xx xx xx xx xx 2c 64 63 3d xx xx 2c 64 63 3d xx xxxxx,dc=xx,dc=x
0040 xx xx 2c 64 63 3d 70 6c 80 08 xx xx xx xx xx xx xx,dc=pl..xxxxxx
0050 xx xx xx
这是响应 - 普通resultCode: success (0):
0000 30 84 00 00 00 10 02 01 01 61 84 00 00 00 07 0a 0........a......
0010 01 00 04 00 04 00 ......
对无效密码的回复是:
0000 30 84 00 00 00 68 02 01 01 61 84 00 00 00 5f 0a 0....h...a...._.
0010 01 31 04 00 04 58 38 30 30 39 30 33 30 38 3a 20 .1...X80090308:
0020 4c 64 61 70 45 72 72 3a 20 44 53 49 44 2d 30 43 LdapErr: DSID-0C
0030 30 39 30 33 41 39 2c 20 63 6f 6d 6d 65 6e 74 3a 0903A9, comment:
0040 20 41 63 63 65 70 74 53 65 63 75 72 69 74 79 43 AcceptSecurityC
0050 6f 6e 74 65 78 74 20 65 72 72 6f 72 2c 20 64 61 ontext error, da
0060 74 61 20 35 32 65 2c 20 76 31 64 62 31 00 ta 52e, v1db1.
并在更改后发送正确的密码,立即导致成功绑定。
顺便说一下 - 使用LDAPS(端口636)不会改变任何东西 - 我仍然可以绑定到已禁用的帐户。
编辑:在虚拟服务器上重新创建问题
我已经启用了LDAP / AD事件的详细记录,这就是我得到的:
对于已停用帐户,LDAP绑定不正确到Active Directory会导致单个事件:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: CENTRALA$
Account Domain: XXX
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: MY_ACTUAL_DOMAIN_NAME_OF_BLOCKED_USER
Account Domain: XXX
对于已停用帐户,LDAP绑定正确到Active Directory会导致以下事件:
1:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Guest
Source Workstation: CENTRALA
Error Code: 0x0
2:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: CENTRALA$
Account Domain: MS
Logon ID: 0x3e7
Logon Type: 3
New Logon:
Security ID: MS\Guest
Account Name: Guest
Account Domain: MS
Logon ID: 0x38cd57
Logon GUID: {00000000-0000-0000-0000-000000000000}
是否有可能通过LDAP正确登录已禁用的帐户会导致登录访客帐户?
答案 0 :(得分:4)
最后我得到了解决方案!
问题是...已启用来宾帐户。
AD / LDAP绑定到已启用或已停用的帐户不正确的密码会导致以下事件:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
使用正确的密码将AD / LDAP绑定到已停用的帐户会导致以下事件:
1
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Guest
Source Workstation: CENTRALA
Error Code: 0x0
2
...
Account Whose Credentials Were Used:
Account Name: Guest
Account Domain: MS
Logon GUID: {00000000-0000-0000-0000-000000000000}
...
3
...
Logon Type: 3
New Logon:
Security ID: MS\Guest
Account Name: Guest
Account Domain: MS
Logon ID: 0x3ad7cf
Logon GUID: {00000000-0000-0000-0000-000000000000}
...
4
An account was logged off.
Subject:
Security ID: MS\Guest
Account Name: Guest
Account Domain: MS
Logon ID: 0x3ad7cf
禁用来宾帐户后,AD / LDAP绑定到已停用的帐户正确密码会导致以下事件:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
这不奇怪吗? 这不是AD / LDAP中的错误吗?