4 Replies Latest reply on Nov 7, 2008 11:12 PM by 843793

    Active Directory Error(error code 53 - 0000001F)

    843793
      Hello,

      We got a webapp writing to AD, that is throwing the following error:
      Root exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
      We are using 'unicodePwd', ssl is enabled and the account that is writing to AD is domain administrator account. Also, our webapp is on a different domain(Linux) than Active Directory, though this has not caused us problems in the past.

      Our previous version of the code was working, and the only change made in the code is that we allow dot(.) character in the user name. However, the test case that failed does not have a dot(.) in the user name.

      Any ideas? I haven't found anything on google that helped
        • 1. Re: Active Directory Error(error code 53 - 0000001F)
          800477
          Can you explain what you mean "your webapp is on a different domain (Linux) than Active Directory ?

          When you use the terms "unicodePwd" and "ssl" I assume you are resetting or changing the password ?

          Is the encoding of the new password correct ? For example,
          {code}//Replace the "unicdodePwd" attribute with a new value
          String newPassword = "Secret";
          //Password must be both Unicode and a quoted string
          String newQuotedPassword = "\"" + newPassword + "\"";
          byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");{code}

          Is the strength of the SSL encryption key sufficientl? AD will not support password reset operations over SSL connections that use weak encryption keys.
          • 2. Re: Active Directory Error(error code 53 - 0000001F)
            843793
            Sorry, I should have been clearer.

            I mentioned the different domains, because of this link http://forum.springframework.org/showthread.php?p=200391

            When we create a user, the user is not only created in the database but also in AD and this creation in AD fails. There is no resetting or changing the password -- the creation of user fails. This was never a problem previously. The call that fails is ctx.createSubcontext (dn, ats);
            • 3. Re: Active Directory Error(error code 53 - 0000001F)
              800477
              Let me try to understand this.
              ctx.createSubcontext (dn, ats); 
              used to work, but now you've moved the web application somewhere else, and now it doesn't work ?

              Well the obvious question is what exactly have you changed ? What is the difference between when it used to work and now ?

              You mention something about a Linux domain, and to be honest I have no idea what you mean. Is your Web Application server now residing in a different domain ?

              How exactly are you creating the user in Active Directory ? (What attributes, Does the password meet the complexity requirements,Is it performed over a secure connection such as SSL or TLS ?)
              • 4. Re: Active Directory Error(error code 53 - 0000001F)
                843793
                used to work, but now you've moved the web application somewhere else, and now it doesn't work ?
                Well the obvious question is what exactly have you changed ? What is the difference between when it used to work and now ?

                -- Not much has changed! (I can't debug the code that actually makes the call, all I have is a jar by another group that does all the "low-level" stuff. ) I know for a fact that we are now allowing the user name to contain a dot character. But, the test case that failed does not contain the dot character. It is possible that other changes have been made, but after scanning a few of the files the code looks the same.
                -- Forget, the domains part, it's only confusing. My fault mentioning it.

                Does the password meet the complexity requirements. Is it performed over a secure connection such as SSL or TLS ?
                -- Yes, I checked the password policy --we have disabled most requirements
                -- Yes, I believe so
                -- The attributes
                userAccountControl=66048
                scriptPath=Logon.bat
                ldap.first.name.property=John
                ldap.email.property=test@test.com
                homeDirectory=\\10.10.10.10\Users\b216
                ldap.last.name.property=Smith
                profilePath=\\10.10.10.10\Users\b216
                cn=b216
                I guess I'll have to wait for the developer who wrote the code to help me out, because it seems like something changed in the code below me. Our test cases are the same.
                However, if you do know what this error usually indicates, it could help us solve the problem faster.

                Thanks!