Openfire returning error when using userPrincipalName


I’m trying to configure OpenFire to use Active Directory and everything works fine until I select userPrincipalName for

User Mapping. Then I’m getting following error:


Problem accessing /user-summary.jsp. Reason:

Existing at-character at the first character of the string indicates that an empty node part

is provided. This is illegal. Offending value: ‘

Caused by:

java.lang.IllegalArgumentException: Existing at-character at the first character of the string

indicates that an empty node part is provided. This is illegal. Offending value: ‘

at org.xmpp.packet.JID.getParts(

at org.xmpp.packet.JID.(

at org.jivesoftware.openfire.ldap.LdapUserProvider.loadUser( 97)

at org.jivesoftware.openfire.user.UserManager.getUser(

at org.jivesoftware.openfire.user.UserCollection$UserIterator.getNextElement


at org.jivesoftware.openfire.user.UserCollection$UserIterator.hasNext


at org.jivesoftware.openfire.admin.user_002dsummary_jsp._jspService


at org.apache.jasper.runtime.HttpJspBase.service(

at javax.servlet.http.HttpServlet.service(

at org.eclipse.jetty.servlet.ServletHolder.handle(

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter


at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage( 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter


at org.jivesoftware.util.LocaleFilter.doFilter(

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter


at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter


at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter


at org.jivesoftware.admin.PluginFilter.doFilter(

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter


at org.jivesoftware.admin.AuthCheckFilter.doFilter(

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter


at org.eclipse.jetty.servlet.ServletHandler.doHandle(

at org.eclipse.jetty.server.handler.ScopedHandler.handle(


at org.eclipse.jetty.server.session.SessionHandler.doHandle( 7)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle( 1)

at org.eclipse.jetty.servlet.ServletHandler.doScope(

at org.eclipse.jetty.server.session.SessionHandler.doScope( )

at org.eclipse.jetty.server.handler.ContextHandler.doScope( )

at org.eclipse.jetty.server.handler.ScopedHandler.handle(

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle


at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:149)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(

at org.eclipse.jetty.server.Server.handle(

at org.eclipse.jetty.server.HttpConnection.handleRequest(

at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete


at org.eclipse.jetty.http.HttpParser.parseNext(

at org.eclipse.jetty.http.HttpParser.parseAvailable(

at org.eclipse.jetty.server.AsyncHttpConnection.handle( )

at a:586)

at$ :44)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( )

at org.eclipse.jetty.util.thread.QueuedThreadPool$

at Source)

Powered by Jetty://

When I use sAMAccountName for user searches it works just fine, but the problem is, that for our

forest it is not a suitable solution. There are users (myself included) that have same user account name

in different domains (like and and then OpenFire will not find


Any ideas what this error means and where is it coming from ? Unfortunatelly I’m not skilled in java

so I’m not quite sure what could be wrong with this domain :confused:



Did you solve this?

I am having the same problem.

I cannot configure UPN or Mail to be the User Mapping. It only appears to work if I use sAMAccountName.

I’ve tried userPrincipalName and Mail, but it errors with


Problem accessing /setup/setup-admin-settings.jsp. Reason:

Server Error

Caused by:

java.lang.IllegalArgumentException: Illegal JID:

The reason you can’t use serPrincipalName and Mail, is because it adds an ‘@’ to the jid, the JID can only have the single ‘@’. You could always use a custom/unused AD attribute…but then you would have to create add the info manually. IF your running exchange, and if your exchange aliases are different for every user, you could use that. If I recall, I think its mailNickname.

Cool thanks, that makes sense now.

Any chance you happen to know how to exclude certain users/groups from showing up? I have filtered down to OU but there’s all these groups showing up and also account names in the shared group I created that shouldn’t be in contacts list.

Is the only way to remove those to move the accounts to a different OU?


this should point you in the right direction

How to Setup Authentication Groups with LDAP/AD