By Luz Mestre-Oracle on Feb 26, 2014
After added Active Directory Provider, Users and Groups are listed in Admin Console:
Security Realms -> My Realm -> Users and Groups.
When attempting to login to an application that is using the users, the login is being denied, and you might not see any clues in weblogic server logs.
If you enable Atn debug, the following is observed in server log:
<Debug> <SecurityAtn> <MyDomain> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)' for workmanager: consoleapp@null@consoleWorkManager> <<WLS Kernel>> <> <593625378f0917fe:-23dcaa48:143ea3e7180:-8000-0000000000000400> <1391205135889> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate failed for user MyUser>
This can occur when default authenticator is selected as REQUIRED by default. So the login process is denied by the default authenticator due to it is not aware of users in Active Directory.
So, to fix the issue
1. Go to Admin Console > Security Realms > <Your Realm> >Providers.
2. Make Active Directory provider is in the top of the list and set Control Flag SUFFICIENT.
3. Make default authenticator Control Flag is set to OPTIONAL.
You can read more in this My Oracle Support document:
How to Configure Active Directory as the LDAP Provider for WebLogic Server (Doc ID 1299072.1)