LDAP import works but authentication fails - Simple Bind

Problem

In some cases it is possible that the LDAP directory is configured correctly and users and groups are imported correctly, but the users cannot log in using their domain credentials. The default authentication method of the iGrafx Platform for LDAP authentication is a Simple Bind, the password of the user is transmitted to the LDAP server for verification. Often times, company policies forbid this. To determine if this is the case, additional logging needs to be put in place.

Verify the issue

The following explains how to set up log4j to write the LDAP activities into the igrafx_server.log file for the predeployed iGrafx Platform.

Log in to the iGrafx Platform i.e. the admin account created on initial setup.
Go to Administration > Support > Logging Settings
Set Log Level to Debug
Turn off Log All Classes
Check the box next to custom and add org.springframework.security.ldap;org.springframework.security.authentication.ProviderManager;com.igrafx.shared.security.MultiLdapAuthenticationProvider as custom log classes.
Confirm the changes by clicking Save Logging Settings
Stop the application server
Delete the log files or move them to a different location
Start the application server
Try to log in as a user from the LDAP directory.

The file igrafx_server.log in your base directory should now contain entries along these lines:

CODE

10 Dec 2015 22:10:49,668 DEBUG ProviderManager,http-apr-8080-exec-2:152 - Authentication attempt using com.igrafx.shared.security.MultiLdapAuthenticationProvider
10 Dec 2015 22:10:49,668 DEBUG ProviderManager,http-apr-8080-exec-2:152 - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
10 Dec 2015 22:10:49,778 DEBUG ProviderManager,http-apr-8080-exec-2:152 - Authentication attempt using com.igrafx.shared.security.IceLdapAuthenticationProvider
10 Dec 2015 22:10:49,778 DEBUG FilterBasedLdapUserSearch,http-apr-8080-exec-2:107 - Searching for user 'thismyusername', with user search [ searchFilter: '(&(objectCategory=Person) (sAMAccountName={0}))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
10 Dec 2015 22:10:50,247 DEBUG SpringSecurityLdapTemplate,http-apr-8080-exec-2:211 - Searching for entry under DN 'DC=igrafx,DC=com', base = '', filter = '(&(objectCategory=Person) (sAMAccountName={0}))'
10 Dec 2015 22:10:50,497 DEBUG SpringSecurityLdapTemplate,http-apr-8080-exec-2:223 - Found DN: CN=Peuser\, Nils,OU=Employees,OU=IGX,DC=na,DC=igrafx,DC=com
10 Dec 2015 22:11:15,934 DEBUG BindAuthenticator,http-apr-8080-exec-2:108 - Attempting to bind as cn=Peuser\, Nils,OU=Employees,OU=IGX,DC=na,DC=igrafx,dc=com
10 Dec 2015 22:11:16,340 DEBUG BindAuthenticator,http-apr-8080-exec-2:152 - Failed to bind as CN=Peuser\, Nils,OU=Employees,OU=IGX,DC=na,DC=igrafx,DC=com: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 ]

The error 52e can indicate that the password is wrong (invalid credentials). However, it can also indicate that the server is rejecting the BIND attempt due to other reasons, that need to be determined.
After you are done with the verification of the issue you should reset your logging settings.

Solution

Possibly the LDAP server is not allowing Bind authentication. Configure an LDAP over SSL (LDAPS) connection in the iGrafx platform configuration by turning on the check box next to Use SSL in the directory settings, you may need to adjust the port setting.

The default port for Active Directory LDAPS is 636. But the default port varies depending on the directory provider and also the LDAP administrators might have changed it to a custom port.