Overview
This article addresses login failures when attempting to authenticate through an Auth0 Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) connection. The failure is indicated by the following error messages:
In the Auth0 tenant logs, a fu
event (Failed Login - invalid email/username) appears:
{
"date": "2025-04-03T21:00:12.345Z",
"type": "fu",
"description": "Wrong email or password.",
"connection": "My-Connection",
"connection_id": "con_redacted",
"client_id": "REDACTED",
"client_name": "My App",
// other fields omitted
}
- In the AD/LDAP connector log, the error Authentication attempt failed. Reason: wrong username is logged:
2025-04-03T21:00:12.345Z - debug: [2025-04-03 21:00:12] user user@example.com: Starting authentication attempt.
2025-04-03T21:00:12.345Z - debug: [2025-04-03 21:00:12] user user@example.com: Authentication attempt failed. Reason: wrong username
Applies To
- AD/LDAP connector
- AD/LDAP connection
Cause
The root cause of this login failure is a mismatch between the LDAP_USER_BY_NAME
configuration setting in the AD/LDAP connector’s config.json
file and the actual attribute name used to store the login username in the target AD/LDAP directory.
The LDAP_USER_BY_NAME
setting defines the search filter used by the connector to locate a user during authentication. For example, the default value is (sAMAccountName={0})
. If a user attempts to log in with the username “johndoe”, the connector searches the directory using the filter sAMAccountName=johndoe
. However, if the usernames in the directory are stored under a different attribute (e.g., userPrincipalName
or cn
), the connector cannot find the user, resulting in the “wrong username” error, even if the entered username is correct.
See more details in the ad-ldap-connector README.md.
Solution
To resolve this issue, update the LDAP_USER_BY_NAME
setting in the AD/LDAP connector’s config.json
file to match the attribute used for usernames in the specific AD/LDAP directory.
- Identify the correct attribute name used for storing user login names in the target AD/LDAP directory (e.g.,
sAMAccountName
,userPrincipalName
,cn
). - Locate and open the
config.json
file for the affected AD/LDAP connector instance. - Find the
LDAP_USER_BY_NAME
configuration key within the file. - Modify the value of
LDAP_USER_BY_NAME
to use the correct attribute identified in Step 1. For example, if the correct attribute isuserPrincipalName
, change the setting to(userPrincipalName={0})
. - Save the changes to the
config.json
file. - Restart the AD/LDAP Connector service (the Auth0 ADLDAP service in Windows).