I'm trying to connect to an Azure DB via JDBC using authentication mode ActiveDirectoryServicePrincipal.
Connection string: jdbc:sqlserver://xxx.database.windows.net:1433;Database=abcd;Authentication=ActiveDirectoryServicePrincipal;
Used Java components:
mssql-jdbc-11.1.1.jre8-preview.jar
msal4j-1.11.3.jar
oauth2-oidc-sdk-9.22.1.jar
json-smart-2.4.7.jar
When trying to connect, the attempt fails with the following error:
2022-04-28 15:23:50 INFO - Connecting to Source Database jdbc:sqlserver://xxx.database.windows.net:1433;Database=abcd;Authentication=ActiveDirectoryServicePrincipal; ...
2022-04-28 15:23:50 INFO - Connecting to Source JDBC data source jdbc:sqlserver://xxx.database.windows.net:1433;Database=abcd;Authentication=ActiveDirectoryServicePrincipal; ...
2022-04-28 15:23:51 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:51 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:51 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:51 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:51 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:51 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:52 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:52 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:53 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:53 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:54 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:54 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:55 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:55 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:56 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:56 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:57 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:57 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:23:59 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:23:59 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:00 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:00 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:01 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:01 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:02 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:02 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:03 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:03 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:04 DEBUG - SkipCache set to false. Attempting cache lookup
2022-04-28 15:24:04 DEBUG - Cache lookup failed: Token not found in the cache
2022-04-28 15:24:04 ERROR - Error establishing database connection to Source DB (URL: jdbc:sqlserver://xxx.database.windows.net:1433;Database=abcd;Authentication=ActiveDirectoryServicePrincipal;)
com.microsoft.sqlserver.jdbc.SQLServerException: Failed to authenticate the user yyy in Active Directory (Authentication=ActiveDirectoryServicePrincipal). com/nimbusds/common/contenttype/ContentType
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:240)
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getSqlFedAuthTokenPrincipal(SQLServerMSAL4JUtils.java:97)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:5440)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:5388)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:5275)
at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:305)
at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:128)
at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:37)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6262)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:4880)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:90)
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:4818)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7601)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:3885)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3331)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2923)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2763)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1657)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1063)
at com.synabi.dqnconnect2jdbc.util.DriverShim.connect(DriverShim.java:19)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:208)
at com.synabi.dqnconnect2jdbc.Importer.run(Importer.java:484)
at com.synabi.dqnconnect.App.main(App.java:621)
Caused by: java.util.concurrent.ExecutionException: java.lang.RuntimeException: com/nimbusds/common/contenttype/ContentType
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:238)
... 23 more
Caused by: java.lang.RuntimeException: com/nimbusds/common/contenttype/ContentType
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:230)
... 23 more
However, when trying to connect using authentication mode SqlPassword, it's working without a problem (different user, of course, but with the same rights). Additionally, the username and password of the Service Principal user works as well when trying to connect using Powershell.
So there seems to be a problem with the JDBC components. Does anyone have any idea how to solve this?
Edit (for clarification): I've read the official documentation (https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication) and followed the described steps to set up the connection.
Are you using simple Java or Spring framework for making the Microsoft SQL connection? In place of the JDBC string, set parameters in the com.microsoft.sqlserver.jdbc.SQLServerDataSource object.
I got a very similar error and in my case it was a missing jar.
Caused by: java.lang.RuntimeException: com/nimbusds/common/contenttype/ContentType
is SQLServerMSAL4JUtils.getCorrectedException's way of swallowing the true cause of the exception:
java.lang.NoClassDefFoundError: com/nimbusds/common/contenttype/ContentType
at com.nimbusds.oauth2.sdk.http.HTTPMessage.setContentType(HTTPMessage.java:98)
at com.nimbusds.oauth2.sdk.http.HTTPRequest.setContentType(HTTPRequest.java:73)
at com.microsoft.aad.msal4j.TokenRequestExecutor.createOauthHttpRequest(TokenRequestExecutor.java:41)
at com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:31)
at com.microsoft.aad.msal4j.AbstractClientApplicationBase.acquireTokenCommon(AbstractClientApplicationBase.java:128)
at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:63)
at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:71)
at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:20)
at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.ClassNotFoundException: com.nimbusds.common.contenttype.ContentType
at java.net.URLClassLoader.findClass(URLClassLoader.java:387)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
... 12 more
In this case the class can be found in: content-type-2.2.jar
which is a dependency of oauth2-oidc-sdk.
Related
**> I am getting exception after upgrading oracle11g to oracle19C, using hikari as connection pool and hibernate and spring boot. Please
help.
When using IN query with lower number of value list its working but with large numbers its giving error.
Error Recieved:-**
WARN 2022-05-20 11:56:03,250 [http-nio-8080-exec-3] HikariPool-1 - Connection oracle.jdbc.driver.T4CConnection#40896e8e marked as broken because of SQLSTATE(08006), ErrorCode(17002)java.sql.SQLRecoverableException: IO Error: Connection reset
Caused by: java.net.SocketException: Connection reset
at java.base/java.net.SocketInputStream.read(SocketInputStream.java:186)
at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140)
at oracle.net.ns.Packet.receive(Packet.java:316)
at oracle.net.ns.DataPacket.receive(DataPacket.java:128)
at oracle.net.ns.NetInputStream.getNextPacket(NetInputStream.java:315)
at oracle.net.ns.NetInputStream.read(NetInputStream.java:257)
at oracle.net.ns.NetInputStream.read(NetInputStream.java:177)
at oracle.net.ns.NetInputStream.read(NetInputStream.java:95)
at oracle.jdbc.driver.T4CSocketInputStreamWrapper.readNextPacket(T4CSocketInputStreamWrapper.java:132)
at oracle.jdbc.driver.T4CSocketInputStreamWrapper.read(T4CSocketInputStreamWrapper.java:88)
at oracle.jdbc.driver.T4CMAREngineStream.unmarshalUB1(T4CMAREngineStream.java:395)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:410)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:269)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:655)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:270)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:91)
at oracle.jdbc.driver.T4CPreparedStatement.executeForDescribe(T4CPreparedStatement.java:807)
... 148 common frames omitted
WARN 2022-05-20 11:56:03,251 [http-nio-8080-exec-3] SQL Error: 17002, SQLState: 08006
ERROR 2022-05-20 11:56:03,251 [http-nio-8080-exec-3] IO Error: Connection reset
DEBUG 2022-05-20 11:56:03,251 [HikariPool-1 connection closer] HikariPool-1 - Closing connection oracle.jdbc.driver.T4CConnection#40896e8e: (connection is broken)
ERROR 2022-05-20 11:56:03,252 [http-nio-8080-exec-3] Application exception overridden by rollback exception
org.springframework.dao.DataAccessResourceFailureException: could not extract ResultSet; nested exception is org.hibernate.exception.JDBCConnectionException: could not extract ResultSet
I have a file described in src/resources/database-context.xml
<context:property-placeholder
location="file:#{systemProperties['CONF_DIR']}/environment.properties"
ignore-unresolvable="true"/>
For some reason its not being read, and I get the following error...
14:15:32.454 [main] WARN org.springframework.context.support.ClassPathXmlApplicationContext - Exception encountered during context initialization - cancelling refresh attempt
org.springframework.beans.factory.BeanInitializationException: Could not load properties; nested exception is java.io.FileNotFoundException: \environment.properties (The system cannot find the file specified)
at org.springframework.beans.factory.config.PropertyResourceConfigurer.postProcessBeanFactory(PropertyResourceConfigurer.java:89)
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:265)
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:162)
at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:606)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:462)
at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:139)
at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:83)
at com.mizuho.ats.main.LoanAdjust.main(LoanAdjust.java:80)
Caused by: java.io.FileNotFoundException: \environment.properties (The system cannot find the file specified)
But the real reason might an access control issue...
14:15:32.282 [main] DEBUG org.springframework.core.SpringProperties - Could not retrieve system property 'spring.beaninfo.ignore': java.security.AccessControlException: access denied ("java.util.PropertyPermission" "spring.beaninfo.ignore" "read")
14:15:32.298 [main] DEBUG org.springframework.beans.factory.support.DefaultListableBeanFactory - Invoking afterPropertiesSet() on bean with name 'org.mybatis.spring.mapper.MapperScannerConfigurer#0'
14:15:32.298 [main] DEBUG org.springframework.beans.factory.support.DefaultListableBeanFactory - Finished creating instance of bean 'org.mybatis.spring.mapper.MapperScannerConfigurer#0'
14:15:32.298 [main] DEBUG org.springframework.core.env.StandardEnvironment - Adding [systemProperties] PropertySource with lowest search precedence
14:15:32.298 [main] DEBUG org.springframework.core.SpringProperties - Could not retrieve system property 'spring.getenv.ignore': java.security.AccessControlException: access denied ("java.util.PropertyPermission" "spring.getenv.ignore" "read")
And its failing to read the entries...
14:43:45.274 [main] INFO org.springframework.core.env.StandardEnvironment - Caught AccessControlException when accessing system property [CONF_DIR];
its value will be returned [null]. Reason: access denied ("java.util.PropertyPermission" "CONF_DIR" "read")
Of course, the file exists in the path. And there is a security policy file with the following specification...(may be its not even loading.)
grant {
// Allow everything
permission java.security.AllPermission;
};
The original application was developed in an environment having only JDK 1.7, and I am working on a JDK 1.8 environment, though I have explicity specified 1.7 JDK in the compile settings and 1.7 JRE in the Run Configurations JRE settings.
What might be causing this? Any resolution?
The answer is in creating an entry in your lib/security policy file of your JRE.
Usually for Spring applications, the src/resources policy file will suffice, but for some reason it was not, especially when the logs/other files were going to be read from locations outside the project folders. Its a run time exception.
I have a Spring boot application in version 2.1.2.RELEASE. Once a month or few weeks application crashes without any specific information in logs.
Server where app is deploy is CentOS ver 7, app is launched by a systemd service.
Tried analysing heap dump, no luck, checked logs of postgres, tomcat etc. nothing there.
Stacktrace:
INFO ;read-5;523575402;2019-08-07 17:27:24,714;o.s.i.e.EventDrivenConsumer; Removing {logging-channel-adapter:_org.springframework.integration.errorLogger} as a subscriber to the 'errorChannel' channel
INFO ;read-5;523575418;2019-08-07 17:27:24,730;o.s.i.c.PublishSubscribeChannel; Channel 'application.errorChannel' has 0 subscriber(s).
INFO ;read-5;523575418;2019-08-07 17:27:24,730;o.s.i.e.EventDrivenConsumer; stopped _org.springframework.integration.errorLogger
INFO ;read-5;523575502;2019-08-07 17:27:24,814;o.s.s.c.ThreadPoolTaskScheduler; Shutting down ExecutorService 'taskScheduler'
INFO ;read-5;523575541;2019-08-07 17:27:24,853;o.s.s.c.ThreadPoolTaskExecutor; Shutting down ExecutorService 'applicationTaskExecutor'
INFO ;read-5;523575572;2019-08-07 17:27:24,884;o.s.o.j.LocalContainerEntityManagerFactoryBean; Closing JPA EntityManagerFactory for persistence unit 'default'
INFO ;read-5;523575596;2019-08-07 17:27:24,908;c.z.h.HikariDataSource; HikariPool-1 - Shutdown initiated...
INFO ;read-5;523575631;2019-08-07 17:27:24,943;c.z.h.HikariDataSource; HikariPool-1 - Shutdown completed.
WARN ;exec-8;523575668;2019-08-07 17:27:24,980;c.z.h.p.ProxyConnection; HikariPool-1 - Connection org.postgresql.jdbc.PgConnection#6ff70ea8 marked as broken because of SQLSTATE(08006), ErrorCode(0)
org.postgresql.util.PSQLException: An I/O error occurred while sending to the backend.
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:335)
at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441)
at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365)
at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143)
at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106)
at com.zaxxer.hikari.pool.ProxyPreparedStatement.executeQuery(ProxyPreparedStatement.java:52)
at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.executeQuery(HikariProxyPreparedStatement.java)
at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:60)
at org.hibernate.loader.Loader.getResultSet(Loader.java:2173)
at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1936)
at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1898)
WARN ;exec-6;523575677;2019-08-07 17:27:24,989;c.z.h.p.ProxyConnection; HikariPool-1 - Connection org.postgresql.jdbc.PgConnection#71c6647 marked as broken because of SQLSTATE(08006), ErrorCode(0)
org.postgresql.util.PSQLException: An I/O error occurred while sending to the backend.
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:335)
at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441)
at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365)
at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143)
at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106)
at com.zaxxer.hikari.pool.ProxyPreparedStatement.executeQuery(ProxyPreparedStatement.java:52)
at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.executeQuery(HikariProxyPreparedStatement.java)
WARN ;exec-8;523575721;2019-08-07 17:27:25,033;o.h.e.j.s.SqlExceptionHelper; SQL Error: 0, SQLState: 08006
WARN ;exec-6;523575721;2019-08-07 17:27:25,033;o.h.e.j.s.SqlExceptionHelper; SQL Error: 0, SQLState: 08006
ERROR;exec-8;523575721;2019-08-07 17:27:25,033;o.h.e.j.s.SqlExceptionHelper; An I/O error occurred while sending to the backend.
ERROR;exec-6;523575721;2019-08-07 17:27:25,033;o.h.e.j.s.SqlExceptionHelper; An I/O error occurred while sending to the backend.
INFO ;exec-6;523575885;2019-08-07 17:27:25,197;o.h.e.i.DefaultLoadEventListener; HHH000327: Error performing load command : org.hibernate.exception.JDBCConnectionException: could not extract ResultSet
org.hibernate.exception.JDBCConnectionException: could not extract ResultSet
at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115)
at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:113)
Has anyone got idea how can I what might be going on? Last crash was 3, 4 weeks before that.
That type of error happens when the database connection has been lost, which in turn can happen for a whole number of reasons, the most simple one being that it's being restarted after system updates or as part of a scheduled operation.
HikariCP should be able to recover according to the following link (provided that your HikariCP version is recent enough):
https://github.com/brettwooldridge/HikariCP/wiki/Rapid-Recovery
You may need to configure some properties in your pool. The full list of properties is available here:
https://github.com/brettwooldridge/HikariCP
I recommend you configure the following in HikariCP:
connectionTestQuery: will test the connection periodically, dropping dead connections. Use it in conjunction with socketTimeout in your PostgreSQL connection string
leakDetectionThreshold: will help with applications having connection leaks
I am working on a project that re-uses https://github.com/vdenotaris/spring-boot-security-saml-sample to integrate with Azure AD as IDP.
The integration went pretty smoothly. The only thing I couldn't fix was metadata trust check.
According to https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/chapter-idp-guide.html
it's recommended to set metadataTrustCheck to false to skip signature validation
However, I'd like to ask if it's possible to use metadata trust check with Azure.
To recreate, set IDP metadata url to
https://login.microsoftonline.com/sample.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
set metadataTrustCheck to true for WebSecurityConfig#extendedMetadataProvider
and import login.microsoftonline.com SSL cert into samlKeystore.jks
2018-01-23 09:58:05.450 DEBUG 9924 --- [localhost-startStop-1] o.o.xml.signature.SignatureValidator : Signature validated with key from supplied credential
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Signature validation using candidate credential was successful
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.x.s.x.BasicX509CredentialNameEvaluator : Supplied trusted names are null or empty, skipping name evaluation
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Attempting PKIX path validation on untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
2018-01-23 09:58:05.458 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Building certificate path using default security provider
2018-01-23 09:58:05.466 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:1.8.0_161]
at java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator.validate(CertPathPKIXTrustEvaluator.java:85) ~[spring-security-saml2-core-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
The issue doesn't happen with ssocircle metadata https://idp.ssocircle.com/idp-meta.xml
The certificate used to sign your metadata seems different from the one at login.microsoftonline.com which you imported.
See Signature trust establishment failed for SAML metadata entry
I am using Spring Security and Active Directly for authentication. Below my configuration
registry
.ldapAuthentication()
.ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)
.userDnPatterns("cn={0},cn=Users")
.contextSource() .managerDn("cn=Administrator,cn=Users,cn=COMPANY,cn=COM,cn=TN")
.managerPassword("xxxxxxx")
.url("ldap://xxx.xxx.xxx.xxxx:389/cn=COMPANY,cn=COM,cn=TN") ;
When I am trying to connect with a valid user I've got this log:
23:30:49.321 [http-bio-8080-exec-8] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
23:30:49.322 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.LdapAuthenticationProvider - Processing authentication request for user: ben
23:30:49.344 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.BindAuthenticator - Attempting to bind as cn=ben,cn=Users,cn=COMPANY,cn=COM,cn=TN
23:30:49.345 [http-bio-8080-exec-8] DEBUG o.s.s.l.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=ben,cn=Users,cn=COMPANY,cn=COM,cn=TN
23:30:52.371 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.BindAuthenticator - Failed to bind as cn=ben,cn=Users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580
Sorry, it was a stupid mistake: I used CN instead of DC.