LDAP Error Code 49 with Microsoft Active Directory prevents normal TIBCO Spotfire Server operation.

LDAP Error Code 49 with Microsoft Active Directory prevents normal TIBCO Spotfire Server operation.

When the TIBCO Spotfire Server is configured to use LDAP with Microsoft Active Directory for either its User Directory or Authentication, an LDAP Error Code 49 may be encountered which will prevent proper operation of the TIBCO Spotfire Server. There can be various causes associated with this error and is determined based upon the 'data' value in the error message.
 

The LDAP error code 49 will be generated in the server.log file. Example:

==========================================

ERROR 2014-12-05T09:49:01,283-0500 [*Initialization*] web.context.ContextLoader: Context initialization failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'ldapConfigFactory' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [com.spotfire.server.ldap.LdapConfigFactory]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Error initializing run-time properties for LDAP configuration 'myLDAPconfiguration'

...

Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [com.spotfire.server.ldap.LdapConfigFactory]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Error initializing run-time properties for LDAP configuration 'myLDAPconfiguration'

...

Caused by: com.spotfire.server.ServerInitializationException: Error initializing run-time properties for LDAP configuration 'myLDAPconfiguration'

...

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]

==========================================

 

This may be seen a few different ways:

• TIBCO Spotfire Server will not start.
  Browsing to the server 'Welcome Page' like 'http://mySpotfireServer/spotfire' will not show the server but will instead show, 'This page can’t be displayed' or other missing page text (browser dependent).
• User Directory will not update.
  If the server is running but the password has expired, then if changes have been made to the directory in Active Directory (user and/or groups are added or removed) then the changes may not be reflected in Spotfire. For example, a new user will not be seen in the Spotfire User Directory.
• Login fails.
  Logging into the TIBCO Spotfire Server either via the web page, Professional or Web Player clients will fail.

The key portion of the error message is the javax.naming.AuthenticationException in brackets. Example:

• [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]

The AD-specific error code after the 'data' word ('52e' in the above example) is the actual error string returned to the binding process and will provide an explicit reason for the failure;

• 525 user not found 
  Description: Returns when username is invalid.
• 52e invalid credentials 
  Description: Logon failure: unknown user name or bad password. Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
• 530 not permitted to logon at this time
  Description: Logon failure: account logon time restriction violation. Returns only when presented with valid username and password/credential.
• 531 not permitted to logon at this workstation
  Description: Logon failure: user not allowed to log on to this computer. Returns only when presented with valid username and password/credential.
• 532 password expired 
  Description: Logon failure: the specified account password has expired.  Returns only when presented with valid username and password/credential.
• 533 account disabled 
  Description: Logon failure: account currently disabled. Returns only when presented with valid username and password/credential.
• 701 account expired 
  Description: The user's account has expired. Returns only when presented with valid username and password/credential.
• 773 user must reset password 
  Description: The user's password must be changed before logging on the first time. Returns only when presented with valid username and password/credential.
• 775 user account locked
  Description: The referenced account is currently locked out and may not be logged on to. Returns even if invalid password is presented

 

Verify that the credentials specified in the LDAP configuration are valid, not locked out, and that you can log in with them to the LDAP server. Use the 'data' error code to provide insight into exactly what is not working with the account.

 

Here are the resolution steps once the account is confirmed to be working:

1. Open Spotfire configuration tool Start > Programs > TIBCO Spotfire Server X.X > Configure TIBCO Spotfire Server .
2. Enter the configuration tool password to unlock configuration.
3. On the 'Configuration' tab, click 'User Directory: LDAP'.
4. Update the 'LDAP Username' and 'LDAP Password' (after it is verified that these credentials are valid, not locked out, and that you can log in with them).
5. Save the configuration to the database.
6. Restart the TIBCO Spotfire Serve service.

For cases where the directory service is not Microsoft Active Directory, similar errors may be encountered. The specific error codes for that directory server can be used to identify any error codes seen in the Spotfire logs.