User Authentication Fails in Active Directory (AD) LDAP Provider (Doc ID 2915500.1)

Last updated on DECEMBER 19, 2023

Applies to:

Symptoms

A web application was developed and deployed which uses Active Directory (AD) as an authentication provider. Most business users are accessing the application without any issue, but a few users are failing to be authenticated. These failing users are able to log into other business applications, but fail in WebLogic Server (WLS), and they are confirmed to be in the AD directory correctly. Also, users and groups are not being displayed correctly in the WebLogic Server admin console.

Changes

Troubleshooting found the following:

1. The filters for the AD provider were not correct. Fixing the all-users and all-groups filters corrected the problems with users and groups displaying in the WLS admin console. However, some users were still not able to log in as expected.
2. A password validator was configured on the system which specified that a valid password must be at least 8 characters long and must have at least one numeric or special character. This could explain why some users were authenticated successfully (with a valid password) but others cannot be authenticated because they have an invalid password. However, the failing users all reported that they had a valid password.
3. Enabling the SecurityATN debug flag and reproducing the failed login provided more information about where the authentication was failing. These log entries were seen:
   This shows that the SampleUser user is found successfully in the database, but the authentication fails on the subsequent step to determine what groups SampleUser belongs to.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.