ARTIFACTORY: LDAP: error code 49, comment: AcceptSecurityContext error, data 531 during Login in Artifactory

ARTIFACTORY: LDAP: error code 49, comment: AcceptSecurityContext error, data 531 during Login in Artifactory

AuthorFullName__c
Janardhana JL
articleNumber
000005893
ft:sourceType
Salesforce
FirstPublishedDate
2023-10-19T15:44:17Z
lastModifiedDate
2023-10-18
VersionNumber
1
During Login to Artifactory observing LDAP: error code 49, comment: AcceptSecurityContext error, data 531 

When the Artifactory is configured with Active Directory and the LDAP users may face the issue during login with error code 49, comment: AcceptSecurityContext error, data 531.


Example Log Snippet:
2023-09-07T06:50:14.696Z [jfrt ] [DEBUG] [00fffbdd00aad000] [LdapAuthenticationProvider:171] [http-nio-8081-exec-7] - Trying to authenticate user: 'abcd' via ldap.

2023-09-07T06:50:14.795Z [jfrt ] [DEBUG] [00fffbdd00aad000] [tifactoryBindAuthenticator:171] [http-nio-8081-exec-7] - Searching for user: '[ searchFilter: 'sAMAccountName={0}', searchBase: 'DC=ad,DC=test,DC=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]' failed for 'abcd': [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 531, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 531, v3839]
org.springframework.security.authentication.AuthenticationServiceException: The user: 'abc' failed to authenticate

2023-09-07T06:50:14.796Z [jfrt ] [DEBUG] [00fffbdd00aad000] [LdapAuthenticationProvider:199] [http-nio-8081-exec-7] - Failed to authenticate user: 'abcd' using ldap.
org.springframework.security.authentication.AuthenticationServiceException: The user: 'abcd' failed to authenticate

2023-09-07T06:50:14.796Z [jfrt ] [DEBUG] [00fffbdd00aad000] [o.a.s.l.LdapUtils:138        ] [http-nio-8081-exec-7] - Trying to find user: 'abc' with LDAP settings 'org.artifactory.descriptor.security.ldap.LdapSetting@ebeb7604'

2023-09-07T06:50:14.796Z [jfrt ] [DEBUG] [00fffbdd00aad000] [o.a.s.l.LdapServiceImpl:210   ] [http-nio-8081-exec-7] - Searching for user: 'abcd'

2023-09-07T06:50:14.850Z [jfrt ] [DEBUG] [00fffbdd00aad000] [o.a.s.l.LdapServiceImpl:232] [http-nio-8081-exec-7] - Found user: 'abc', has DN: CN=abc,OU=SharedAccounts,OU=OrgResources,DC=ad,DC=test,DC=com

2023-09-07T06:50:14.850Z [jfrt ] [DEBUG] [00fffbdd00aad000] [o.a.s.l.LdapUtils:143] [http-nio-8081-exec-7] - Found user: 'abc' with LDAP settings 'org.artifactory.descriptor.security.ldap.LdapSetting@ebeb7604'

2023-09-07T06:50:14.850Z [jfrt ] [DEBUG] [00fffbdd00aad000] [LdapAuthenticationProvider:232] [http-nio-8081-exec-7] - Failed to authenticate user: 'abcd': The user: 'abcd' failed to authenticate


The LDAP: error code 49 with  data 531, means the user is not permitted/restricted the login to any other workstation. If the issue persists only with few AD users kindly check if there is any difference in the AD accounts configuration.

For Example:
  • Service account
  • Shared account
  • Personal account

In case of a shared account, please check if any restrictions are added to these account users against other applications and not permitted to log on from another workstation.

You could refer to the below external Article for more information on error code 5231as the similar issue has been discussed:

-> Unable-to-log-in-because-of-userworkstations-attribute-in-active-directory 
-> Similar issue discussed in  Stack Overflow 
-> ldap-error-code-49-,-data-531

If the configuration looks good and if LDAP users are permitted to access Artifactory from other workstations then you could check the below and share the details with the JFrog Support team to investigate further.
A. Make sure if the LDAP  test connection in Artifactory is successful for the user.
B. Check if there is any group sync issue for the same LDAP users, once the test connection is successful check if you are able to search the relevant groups for this user.
C. Verify if the LDAP users are not locked in the Artifactory and the password provided is valid.
D. Make sure that the user has not been suspended due to concurrent incorrect login attempts. The recurrent login failures could be also due to Artifactory temporary login suspension caused by concurrent login failures for those specific users using incorrect credentials.

After a user has been suspended due to concurrent login attempts, Artifactory blocks further login attempts by creating a temporary login delay, thus ignoring further login attempts. This cached login attempt's lifespan is calculated based on the number of previous attempts and a configurable system property, but will not be more than 5 seconds in any case.

After making the above checks if the issue still persists then provide the below details:

1. Use the below ldap search command to check if the ldap server is reachable via the same user credentials that you are trying to authenticate from a different host and let us know the result.
ldapsearch -x -LLL -h [host] -D [user] -w [password] -b [base DN] -s sub "([filter])" [attribute list]

2. Check the LDAP Server side logs for any additional stack trace and logs and share the LDAP logs.

3. Reproduce the issue and share the complete Artifactory support bundle with the exact timestamp of the event and the user details.
<appender name="ldap" class="ch.qos.logback.core.rolling.RollingFileAppender">
  <File>${log.dir}/artifactory-ldap.log</File>
  <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
    <FileNamePattern>${log.dir.archived}/artifactory-ldap.%i.log.gz</FileNamePattern>
    <maxIndex>10</maxIndex>
  </rollingPolicy>
  <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
    <MaxFileSize>25MB</MaxFileSize>
  </triggeringPolicy>
  <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
    <layout class="org.jfrog.common.logging.logback.layout.BackTracePatternLayout">
      <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSS, UTC}Z [jfrt ] [%-5p] [%-16X{uber-trace-id}] [%-30.30(%c{3}:%L)] [%-20.20thread] - %m%n</pattern>
    </layout>
  </encoder>
</appender>
<logger name="org.springframework.security.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>
<logger name="org.artifactory.addon.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>
<logger name="org.artifactory.security.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>
<logger name="org.artifactory.webapp.servlet.AccessFilter" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>

You can also refer to this article for issue with error “LDAP: error code 49 - 80090308 and data 52e”.