Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-2224

ActiveDirectoryLdapAuthenticationProvider throws BadCredentialsException if userPrincipalName not equal to sAMAccountName + @domain

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.4, 3.2.3
    • Fix Version/s: None
    • Component/s: None
    • Environment:
      Windows (Active Directory)

      Description

      When using the sAMAccountName for authentication via ActiveDirectoryLdapAuthenticationProvider, a BadCredentialsException will be thrown if the userPrincipalName is not the sAMAccountName with @domain post-fixed.

      For example, if the sAMAccountName is "bwayne" but the userPrincipalName is "bruce.wayne@batcave.net", authentication will fail. The createBindPrincipal method assumes the userPrincipalName will be "bwayne@batcave.net" and not "bruce.wayne@batcave.net".

      The code below shows the details of that method:

      ActiveDirectoryLdapAuthenticationProvider.java excerpt
          String createBindPrincipal(String username) {
              if (domain == null || username.toLowerCase().endsWith(domain)) {
                  return username;
              }
      
              return username + "@" + domain;
          }
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              mike.solano.developer@gmail.com Michael Solano
              Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: