Hi,
We’ve observed an issue in Keycloak v26.4.0 where the Active Directory (AD) bind account gets locked out, even though the credentials are correct. This occurs when we change the LDAP connection URL in the Keycloak Admin Console and run a connection test without saving the change first.
In this scenario, Active Directory is reporting Keycloak has provided invalid bind credentials even though the username and password are correct, resulting in repeated failed bind attempts. Due to AD security policies, these failed attempts eventually trigger an account lockout.
However, if we save the updated connection URL before running the test, the authentication succeeds without issue.
We are seeing the following error in the logs:
KC-SERVICES0055: Error when authenticating to LDAP: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, data 52e, v4f7c]
Is anyone able to confirm if this is expected behavior? If so, is there any documentation that explains why the test uses unsaved configuration and how this leads to bind failures?
Many thanks in advance.