[jboss-user] [Beginner's Corner] - LdapExtLoginModule Bad Password causing AD accounts to lock out

Drew Koenig [https://community.jboss.org/people/binaryblogger] created the discussion "LdapExtLoginModule Bad Password causing AD accounts to lock out" To view the discussion, visit: https://community.jboss.org/message/787420#787420 -------------------------------------------------------------- I have 4 JBOSS servers all showing the same behavior. For an unknows reason, and from the user perspective it's random, the JBOSS app server will try to auth the user to AD, fail three times in about a second and lock the user's account. But once we unlock and never touch JBOSS it may be a few hours or days before it happens to the same user again. I see the lockouts happening on both the primary and seconday AD domains controllers. No matter what we try it still happens and we can't figure out why since there is no pattern or clear reason/trigger to this happening. But it happens regularly just not to the same users. Here's the error in the log. 2013-01-03 06:32:13,869 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=username111 javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 The I see the lockout reason 2013-01-03 06:32:14,955 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=username111 javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 Here's my login-config.xml for the AD connection. <application-policy name="AppName">            <authentication>              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">                <module-option name="unauthenticatedIdentity">anonymous</module-option>                <module-option name="java.naming.provider.url">ldap://AD-Corp-Primary.domain.com:389 ldap://AD-Corp-Secondary.domain.com:389/</module-option>                <module-option name="java.naming.security.authentication">simple</module-option>                <module-option name="bindDN">AppUserLDAP</module-option>                <module-option name="bindCredential">hlnYulDMZaK77Cxq4VvHY</module-option>                <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=LdapPassword</module-option>                <module-option name="baseCtxDN">dc=corporate,dc=domain,dc=com</module-option>                <module-option name="baseFilter">(sAMAccountName={0})</module-option>                <module-option name="rolesCtxDN">ou=Resources,ou=Users and Groups,dc=corporate,dc=domain,dc=com</module-option>                <module-option name="roleFilter">(member={1})</module-option>                <module-option name="roleAttributeID">memberOf</module-option>                <module-option name="roleAttributeIsDN">true</module-option>                <module-option name="roleRecursion">1</module-option>                <module-option name="searchScope">SUBTREE_SCOPE</module-option>                <module-option name="searchTimeLimit">30000</module-option>                <module-option name="defaultRole">HttpInvoker</module-option>                <module-option name="allowEmptyPasswords">false</module-option>              </login-module>     </authentication>     </application-policy> -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/787420#787420] Start a new discussion in Beginner's Corner at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&...]