Some A/D Users not able to log in

I am running Openfire 3.5.0 on Windows 2003 (issue happened on previous 3. releases as well).

Some users are unable to log in, they get kicked out with unknown username or password. When I look them up in a user search, the system cannot find the user. When I browse to a group they are a member of, they show up just fine, however they have a red asterisk by their name which says at the bottom:

" Note: Remote users or entities should accept presence subscriptions automatically."

This all seemed to have started a few months ago, but I didn’t hear about it until recently.

Any suggestions would be great as I’m not really seeing anything in the logs that point me in the right direction.

Do the users have any characters in their usernames that are not numbers or letters. Have the users been moved outside your your BsaeDN or user search filter?

No, there is nothing unusual about the usernames, nor have they been moved out of the base DN that I can tell. We have one group in A/D that lists all employees, and only those with the * next to them are unable to log in. The only thing out of the ordinary that I can tell is that the group that all these people are in is called “Sales / Marketing” - and I didn’t know if the slash made a difference or not.

I changed the A/D group to not have a slash, and nothing seems to have changed. I am really confused here! Any help would be appreciated

I would say that you may need to turn on your debug logs on the server. clear all your logs and then have one of those users attempt to login. Post the resulting error. Before you clear the logs are there any errors already present?

This is what I got in my debug log, hopefully it helps:

2008.04.15 11:56:22 LdapManager: In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“Veronica Yager”,OU=“3t Sales & Marketing”,OU=“3t Systems”,OU=“Big Tree Inc.”…

2008.04.15 11:56:22 LdapManager: Created context values, attempting to create context…

2008.04.15 11:56:22 LdapManager: Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.InitialContext.<init>(Unknown Source)

at<init>(Unknown Source)

at org.jivesoftware.openfire.ldap.LdapManager.checkAuthentication( :463)

at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:111)

at org.jivesoftware.openfire.auth.AuthFactory.authenticate(

at va:86)

at org.jivesoftware.openfire.sasl.SaslServerPlainImpl.evaluateResponse(SaslServerP

at :230)


at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl

at$TailFilter.messageReceived (



at$EntryImpl$1.messageReceive d(

at org.apache.mina.common.IoFilterAdapter.messageReceived(



at$EntryImpl$1.messageReceive d(


at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF



at$EntryImpl$1.messageReceive d(

at org.apache.mina.filter.executor.ExecutorFilter.processEvent( :239)

at org.apache.mina.filter.executor.ExecutorFilter$

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$ Source)


at Source)