This is a guess, but your dnFormat doesn't look very AD-ish to me. I note that you have an "ou=Users" in the commented-out bindDn; shouldn't you have that in dnFormat as well?
If you can, bring up one of the AD tools (under Windows) and look yourself up, and copy the DN string exactly. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] [image: The New School] On Tue, May 15, 2018 at 1:31 PM, Jennifer LaVoie <[email protected]> wrote: > Thanks Dave...I had to format my ldap stuff in the cas.properties > differently > > It now looks like this > > cas.authn.ldap[0].order: 0 > cas.authn.ldap[0].name: Active Directory > cas.authn.ldap[0].type: AD > cas.authn.ldap[0].ldapUrl: ldaps://xxx.campus.bridgew.edu:636 > cas.authn.ldap[0].validatePeriod: 270 > cas.authn.ldap[0].poolPassivator: NONE > cas.authn.ldap[0].userFilter: sAMAccountName={user} > cas.authn.ldap[0].baseDn: dc=campus,dc=bridgew,dc=edu > #cas.authn.ldap[0].bindDn: cn=cas5,ou=Users,dc=campus, > dc=bridgew,dc=edu > #cas.authn.ldap[0].bindCredential: xxxx > cas.authn.ldap[0].dnFormat: cn=%s,dc=campus,dc=bridgew,dc=edu > > and now the page loads, but I still can't log in > > When I netstat -anop | grep java > > [root@cas3-dev bin]# netstat -anop |grep java > tcp 0 0 127.0.0.1:8005 0.0.0.0:* > LISTEN 1795/java off (0.00/0/0) > tcp 0 0 0.0.0.0:8009 0.0.0.0:* > LISTEN 1795/java off (0.00/0/0) > tcp 0 0 0.0.0.0:8443 0.0.0.0:* > LISTEN 1795/java off (0.00/0/0) > tcp 0 0 10.20.32.131:48450 10.20.16.65:636 > ESTABLISHED 1795/java off (0.00/0/0) > tcp 0 0 10.20.32.131:48452 10.20.16.65:636 > ESTABLISHED 1795/java off (0.00/0/0) > tcp 0 0 10.20.32.131:48446 10.20.16.65:636 > ESTABLISHED 1795/java off (0.00/0/0) > tcp 0 0 10.20.32.131:48448 10.20.16.65:636 > ESTABLISHED 1795/java off (0.00/0/0) > tcp 0 0 10.20.32.131:48456 10.20.16.65:636 > ESTABLISHED 1795/java off (0.00/0/0) > tcp 0 0 10.20.32.131:48454 10.20.16.65:636 > ESTABLISHED 1795/java off (0.00/0/0) > unix 3 [ ] STREAM CONNECTED 31497 1795/java > > unix 2 [ ] STREAM CONNECTED 31408 1795/java > > unix 3 [ ] STREAM CONNECTED 31498 1795/java > > unix 3 [ ] STREAM CONNECTED 30719 1795/java > > unix 3 [ ] STREAM CONNECTED 30720 1795/java > > unix 2 [ ] STREAM CONNECTED 31781 1795/java > > so things seem to be bound correctly > > Here is my catalina.out grepping for jennifer.lavoie (username) > > 2018-05-15 13:27:45,866 DEBUG [org.apereo.cas.authentication.handler. > support.AbstractUsernamePasswordAuthenticationHandler] - <Examining > credential [jennifer.lavoie] eligibility for authentication handler [Active > Directory]> > 2018-05-15 13:27:45,867 DEBUG [org.apereo.cas.authentication.handler. > support.AbstractUsernamePasswordAuthenticationHandler] - <Credential > [jennifer.lavoie] eligibility is [Active Directory] for authentication > handler [true]> > 2018-05-15 13:27:45,868 DEBUG [org.apereo.cas.authentication.handler. > support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting to > encode credential password via [org.springframework.security. > crypto.password.NoOpPasswordEncoder] for [jennifer.lavoie]> > 2018-05-15 13:27:45,868 DEBUG [org.apereo.cas.authentication.handler. > support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting > authentication internally for transformed credential [jennifer.lavoie]> > 2018-05-15 13:27:45,869 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] > - <Attempting LDAP authentication for [jennifer.lavoie]. Authenticator > pre-configured attributes are [null], additional requested attributes for > this authentication request are [[]]> > 2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth.FormatDnResolver] - > <Formatting DN for jennifer.lavoie with cn=%s,dc=campus,dc=bridgew,dc=edu> > 2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth.Authenticator] - > <authenticate dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu with > request=[org.ldaptive.auth.AuthenticationRequest@1995766693::user=[org. > ldaptive.auth.User@720667905::identifier=jennifer.lavoie, context=null], > returnAttributes=[], controls=null]> > 2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth. > PooledBindAuthenticationHandler] - <authenticate > criteria=[org.ldaptive.auth.AuthenticationCriteria@ > 157874454::dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, > authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@ > 1995766693::user=[org.ldaptive.auth.User@720667905::identifier=jennifer.lavoie, > context=null], returnAttributes=[], controls=null]]> > 2018-05-15 13:27:45,873 DEBUG [org.ldaptive.BindOperation] - <execute > request=[org.ldaptive.BindRequest@632797964::bindDn= > cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, saslConfig=null, > controls=[[org.ldaptive.control.PasswordPolicyControl@-350057371::criticality=false, > timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]], > referralHandler=null, intermediateResponseHandlers=null] with > connection=[org.ldaptive.DefaultConnectionFactory$ > DefaultConnection@588723547::config=[org.ldaptive. > ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd. > campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S, > sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null, > trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, > enabledCipherSuites=null, enabledProtocols=null, > handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, > connectionInitializer=null, connectionStrategy=org.ldaptive. > DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[ > org.ldaptive.provider.jndi.JndiConnectionFactory@ > 601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, > count=1], > environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, > com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, > java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, > java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, > classLoader=null, providerConfig=[org.ldaptive.provider.jndi. > JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR, > SERVER_DOWN], properties={}, controlProcessor=org.ldaptive. > provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null, > removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, > SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, > sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org. > ldaptive.provider.jndi.JndiConnection@c44eb3]> > 2018-05-15 13:27:45,874 DEBUG [org.ldaptive.auth. > PooledBindAuthenticationHandler] - <authenticate > response=[org.ldaptive.auth.AuthenticationHandlerResponse@ > 728104502::connection=[org.ldaptive.DefaultConnectionFactory$ > DefaultConnection@588723547::config=[org.ldaptive. > ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd. > campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S, > sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null, > trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, > enabledCipherSuites=null, enabledProtocols=null, > handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, > connectionInitializer=null, connectionStrategy=org.ldaptive. > DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[ > org.ldaptive.provider.jndi.JndiConnectionFactory@ > 601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, > count=1], > environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, > com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, > java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, > java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, > classLoader=null, providerConfig=[org.ldaptive.provider.jndi. > JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR, > SERVER_DOWN], properties={}, controlProcessor=org.ldaptive. > provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null, > removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, > SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, > sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org. > ldaptive.provider.jndi.JndiConnection@c44eb3], result=false, > resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: > [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: > AcceptSecurityContext error, data 52e, v2580], controls=null] for > criteria=[org.ldaptive.auth.AuthenticationCriteria@ > 157874454::dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, > authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@ > 1995766693::user=[org.ldaptive.auth.User@720667905::identifier=jennifer.lavoie, > context=null], returnAttributes=[], controls=null]]> > 2018-05-15 13:27:45,874 INFO [org.ldaptive.auth.Authenticator] - > <Authentication failed for dn: cn=jennifer.lavoie,dc=campus, > dc=bridgew,dc=edu> > 2018-05-15 13:27:45,874 DEBUG [org.ldaptive.auth.Authenticator] - > <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@ > 728104502::connection=[org.ldaptive.DefaultConnectionFactory$ > DefaultConnection@588723547::config=[org.ldaptive. > ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd. > campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S, > sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null, > trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, > enabledCipherSuites=null, enabledProtocols=null, > handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, > connectionInitializer=null, connectionStrategy=org.ldaptive. > DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[ > org.ldaptive.provider.jndi.JndiConnectionFactory@ > 601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, > count=1], > environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, > com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, > java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, > java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, > classLoader=null, providerConfig=[org.ldaptive.provider.jndi. > JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR, > SERVER_DOWN], properties={}, controlProcessor=org.ldaptive. > provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null, > removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, > SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, > sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org. > ldaptive.provider.jndi.JndiConnection@c44eb3], result=false, > resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: > [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: > AcceptSecurityContext error, data 52e, v2580], controls=null] for > dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu with > request=[org.ldaptive.auth.AuthenticationRequest@1995766693::user=[org. > ldaptive.auth.User@720667905::identifier=jennifer.lavoie, context=null], > returnAttributes=[], controls=null]> > 2018-05-15 13:27:45,874 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] > - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse@1798662416:: > authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, > resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, > ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]], > accountState=null, result=false, resultCode=INVALID_CREDENTIALS, > message=javax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, > data 52e, v2580], controls=null]]> > 2018-05-15 13:27:45,875 DEBUG [org.apereo.cas.authentication.support. > DefaultLdapPasswordPolicyHandlingStrategy] - <Applying password policy > [[org.ldaptive.auth.AuthenticationResponse@1798662416:: > authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, > resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, > ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]], > accountState=null, result=false, resultCode=INVALID_CREDENTIALS, > message=javax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, > data 52e, v2580], controls=null]] to [org.apereo.cas. > authentication.support.DefaultAccountStateHandler@42608b36]> > 2018-05-15 13:27:45,876 DEBUG > [org.apereo.cas.authentication.support.DefaultAccountStateHandler] > - <Attempting to handle LDAP account state for [[org.ldaptive.auth. > AuthenticationResponse@1798662416::authenticationResultCode= > AUTHENTICATION_HANDLER_FAILURE, > resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, > ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]], > accountState=null, result=false, resultCode=INVALID_CREDENTIALS, > message=javax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, > data 52e, v2580], controls=null]]> > 2018-05-15 13:27:45,877 ERROR [org.apereo.cas.authentication. > PolicyBasedAuthenticationManager] - <Authentication has failed. > Credentials may be incorrect or CAS cannot find authentication handler that > supports [jennifer.lavoie] of type [UsernamePasswordCredential]. Examine > the configuration to ensure a method of authentication is defined and > analyze CAS logs at DEBUG level to trace the authentication event.> > WHO: jennifer.lavoie > WHAT: Supplied credentials: [jennifer.lavoie] > [root@cas3-dev bin]# > > > > > On Tuesday, May 15, 2018 at 11:38:05 AM UTC-4, David Curry wrote: >> >> Looks like the CAS webapp isn't starting. catalina.out should tell you >> what happened? >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >> +1 212 229-5300 x4728 • [email protected] >> >> [image: The New School] >> >> On Tue, May 15, 2018 at 11:35 AM, Jennifer LaVoie <[email protected]> >> wrote: >> >>> I updated my pom.xml last week to install LDAP, but I didn't redeploy >>> the war file...so I did that today, but now I can't reach >>> https://cas3.xxx.xxx/cas/login >>> >>> I can still see my self signed cert though, so I didn't wipe out my >>> server.xml file... >>> >>> If i go to here >>> >>> https://cas3.xxx.xxx:8443/ I do see the default apache page is loading. >>> >>> >>> HTTP Status 404 – Not Found >>> ------------------------------ >>> >>> *Type* Status Report >>> >>> *Message* /cas/login >>> >>> *Description* The origin server did not find a current representation >>> for the target resource or is not willing to disclose that one exists. >>> ------------------------------ >>> Apache Tomcat/9.0.7 >>> >>> What did I break LOL >>> >>> Thank gods, I made a snapshot >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/a/ap >>> ereo.org/d/msgid/cas-user/a583b953-6589-40a2-a967-919c9dfca8 >>> 86%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a583b953-6589-40a2-a967-919c9dfca886%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/a32cb4a3-5382-4f5e-a933- > de38268b3d12%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a32cb4a3-5382-4f5e-a933-de38268b3d12%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPJV4r4cQGZz4FspGfgc5zGTU6KYR6D0C6uQ1H-7nnmBA%40mail.gmail.com.
