During Login to Artifactory observing LDAP: error code 49, comment: AcceptSecurityContext error, data 531
When the Artifactory is configured with Active Directory and the LDAP users may face the issue during login with error code 49, comment: AcceptSecurityContext error, data 531.
Example Log Snippet:
The LDAP: error code 49 with data 531, means the user is not permitted/restricted the login to any other workstation. If the issue persists only with few AD users kindly check if there is any difference in the AD accounts configuration.
For Example:
In case of a shared account, please check if any restrictions are added to these account users against other applications and not permitted to log on from another workstation.
You could refer to the below external Article for more information on error code 5231as the similar issue has been discussed:
-> Unable-to-log-in-because-of-userworkstations-attribute-in-active-directory
-> Similar issue discussed in Stack Overflow
-> ldap-error-code-49-,-data-531
If the configuration looks good and if LDAP users are permitted to access Artifactory from other workstations then you could check the below and share the details with the JFrog Support team to investigate further.
After a user has been suspended due to concurrent login attempts, Artifactory blocks further login attempts by creating a temporary login delay, thus ignoring further login attempts. This cached login attempt's lifespan is calculated based on the number of previous attempts and a configurable system property, but will not be more than 5 seconds in any case.
After making the above checks if the issue still persists then provide the below details:
1. Use the below ldap search command to check if the ldap server is reachable via the same user credentials that you are trying to authenticate from a different host and let us know the result.
2. Check the LDAP Server side logs for any additional stack trace and logs and share the LDAP logs.
3. Reproduce the issue and share the complete Artifactory support bundle with the exact timestamp of the event and the user details.
You can also refer to this article for issue with error “LDAP: error code 49 - 80090308 and data 52e”.
When the Artifactory is configured with Active Directory and the LDAP users may face the issue during login with error code 49, comment: AcceptSecurityContext error, data 531.
Example Log Snippet:
2023-09-07T06:50:14.696Z [jfrt ] [DEBUG] [00fffbdd00aad000] [LdapAuthenticationProvider:171] [http-nio-8081-exec-7] - Trying to authenticate user: 'abcd' via ldap. 2023-09-07T06:50:14.795Z [jfrt ] [DEBUG] [00fffbdd00aad000] [tifactoryBindAuthenticator:171] [http-nio-8081-exec-7] - Searching for user: '[ searchFilter: 'sAMAccountName={0}', searchBase: 'DC=ad,DC=test,DC=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]' failed for 'abcd': [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 531, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 531, v3839] org.springframework.security.authentication.AuthenticationServiceException: The user: 'abc' failed to authenticate 2023-09-07T06:50:14.796Z [jfrt ] [DEBUG] [00fffbdd00aad000] [LdapAuthenticationProvider:199] [http-nio-8081-exec-7] - Failed to authenticate user: 'abcd' using ldap. org.springframework.security.authentication.AuthenticationServiceException: The user: 'abcd' failed to authenticate 2023-09-07T06:50:14.796Z [jfrt ] [DEBUG] [00fffbdd00aad000] [o.a.s.l.LdapUtils:138 ] [http-nio-8081-exec-7] - Trying to find user: 'abc' with LDAP settings 'org.artifactory.descriptor.security.ldap.LdapSetting@ebeb7604' 2023-09-07T06:50:14.796Z [jfrt ] [DEBUG] [00fffbdd00aad000] [o.a.s.l.LdapServiceImpl:210 ] [http-nio-8081-exec-7] - Searching for user: 'abcd' 2023-09-07T06:50:14.850Z [jfrt ] [DEBUG] [00fffbdd00aad000] [o.a.s.l.LdapServiceImpl:232] [http-nio-8081-exec-7] - Found user: 'abc', has DN: CN=abc,OU=SharedAccounts,OU=OrgResources,DC=ad,DC=test,DC=com 2023-09-07T06:50:14.850Z [jfrt ] [DEBUG] [00fffbdd00aad000] [o.a.s.l.LdapUtils:143] [http-nio-8081-exec-7] - Found user: 'abc' with LDAP settings 'org.artifactory.descriptor.security.ldap.LdapSetting@ebeb7604' 2023-09-07T06:50:14.850Z [jfrt ] [DEBUG] [00fffbdd00aad000] [LdapAuthenticationProvider:232] [http-nio-8081-exec-7] - Failed to authenticate user: 'abcd': The user: 'abcd' failed to authenticate
The LDAP: error code 49 with data 531, means the user is not permitted/restricted the login to any other workstation. If the issue persists only with few AD users kindly check if there is any difference in the AD accounts configuration.
For Example:
- Service account
- Shared account
- Personal account
In case of a shared account, please check if any restrictions are added to these account users against other applications and not permitted to log on from another workstation.
You could refer to the below external Article for more information on error code 5231as the similar issue has been discussed:
-> Unable-to-log-in-because-of-userworkstations-attribute-in-active-directory
-> Similar issue discussed in Stack Overflow
-> ldap-error-code-49-,-data-531
If the configuration looks good and if LDAP users are permitted to access Artifactory from other workstations then you could check the below and share the details with the JFrog Support team to investigate further.
A. Make sure if the LDAP test connection in Artifactory is successful for the user.
B. Check if there is any group sync issue for the same LDAP users, once the test connection is successful check if you are able to search the relevant groups for this user.
C. Verify if the LDAP users are not locked in the Artifactory and the password provided is valid.
D. Make sure that the user has not been suspended due to concurrent incorrect login attempts. The recurrent login failures could be also due to Artifactory temporary login suspension caused by concurrent login failures for those specific users using incorrect credentials.
B. Check if there is any group sync issue for the same LDAP users, once the test connection is successful check if you are able to search the relevant groups for this user.
C. Verify if the LDAP users are not locked in the Artifactory and the password provided is valid.
D. Make sure that the user has not been suspended due to concurrent incorrect login attempts. The recurrent login failures could be also due to Artifactory temporary login suspension caused by concurrent login failures for those specific users using incorrect credentials.
After a user has been suspended due to concurrent login attempts, Artifactory blocks further login attempts by creating a temporary login delay, thus ignoring further login attempts. This cached login attempt's lifespan is calculated based on the number of previous attempts and a configurable system property, but will not be more than 5 seconds in any case.
After making the above checks if the issue still persists then provide the below details:
1. Use the below ldap search command to check if the ldap server is reachable via the same user credentials that you are trying to authenticate from a different host and let us know the result.
ldapsearch -x -LLL -h [host] -D [user] -w [password] -b [base DN] -s sub "([filter])" [attribute list]
2. Check the LDAP Server side logs for any additional stack trace and logs and share the LDAP logs.
3. Reproduce the issue and share the complete Artifactory support bundle with the exact timestamp of the event and the user details.
<appender name="ldap" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${log.dir}/artifactory-ldap.log</File> <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy"> <FileNamePattern>${log.dir.archived}/artifactory-ldap.%i.log.gz</FileNamePattern> <maxIndex>10</maxIndex> </rollingPolicy> <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> <MaxFileSize>25MB</MaxFileSize> </triggeringPolicy> <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder"> <layout class="org.jfrog.common.logging.logback.layout.BackTracePatternLayout"> <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSS, UTC}Z [jfrt ] [%-5p] [%-16X{uber-trace-id}] [%-30.30(%c{3}:%L)] [%-20.20thread] - %m%n</pattern> </layout> </encoder> </appender> <logger name="org.springframework.security.ldap" additivity="false"> <level value="trace"/> <appender-ref ref="ldap"/> </logger> <logger name="org.artifactory.addon.ldap" additivity="false"> <level value="trace"/> <appender-ref ref="ldap"/> </logger> <logger name="org.artifactory.security.ldap" additivity="false"> <level value="trace"/> <appender-ref ref="ldap"/> </logger> <logger name="org.artifactory.webapp.servlet.AccessFilter" additivity="false"> <level value="trace"/> <appender-ref ref="ldap"/> </logger>
You can also refer to this article for issue with error “LDAP: error code 49 - 80090308 and data 52e”.