User Authentication Fails in Active Directory (AD) LDAP Provider
(Doc ID 2915500.1)
Last updated on DECEMBER 14, 2022
Applies to:Oracle WebLogic Server - Version 18.104.22.168.0 and later
Information in this document applies to any platform.
A web application was developed and deployed which uses Active Directory (AD) as an authentication provider. Most business users are accessing the application without any issue, but a few users are failing to be authenticated. These failing users are able to log into other business applications, but fail in WebLogic Server (WLS), and they are confirmed to be in the AD directory correctly. Also, users and groups are not being displayed correctly in the WebLogic Server admin console.
Troubleshooting found the following:
- The filters for the AD provider were not correct. Fixing the all-users and all-groups filters corrected the problems with users and groups displaying in the WLS admin console. However, some users were still not able to log in as expected.
- A password validator was configured on the system which specified that a valid password must be at least 8 characters long and must have at least one numeric or special character. This could explain why some users were authenticated successfully (with a valid password) but others cannot be authenticated because they have an invalid password. However, the failing users all reported that they had a valid password.
- Enabling the SecurityATN debug flag and reproducing the failed login provided more information about where the authentication was failing. These log entries were seen:
This shows that the SampleUser user is found successfully in the database, but the authentication fails on the subsequent step to determine what groups SampleUser belongs to.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document