FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ycho
Staff
Staff
Description
This article describes what debug log means when ‘fnbamd_ldap_parse_response-Error 49’ is checked and what is the solution to fix it.

When the client accesses the LDAP Server via FortiGate , the error messages captured by FortiGate is showing as below, and cannot access to it normally.
fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563)

Solution
In fnbamd debug logs, The error message is founded when tried to log on via the LDAP server.
[584] fnbamd_ldap_build_dn_search_req-base:'DC=itwea,dc=com' filter:sAMAccountName=xxxxx
[1100] __fnbamd_ldap_dn_entry-Get DN 'CN=XXX,CN=XXX,DC=XXX,DC=com'
[90] ldap_dn_list_add-added CN=XXX,CN=XXX,DC=XXX,DC=com
[52] ldap_dn_list_del_all-Del CN=XXX,CN=XXX,DC=XXX,DC=com
[2821] fnbamd_ldap_result-Result for ldap svr XXX.XXX.XXX.XXX is SUCCESS

[1552] fnbamd_ldap_init-search filter is: sAMAccountName=XXX
[1561] fnbamd_ldap_init-search base is: DC=XXX,dc=com
[584] fnbamd_ldap_build_dn_search_req-base:'DC=XXX,dc=com' filter:sAMAccountName=XXX
[1100] __fnbamd_ldap_dn_entry-Get DN 'CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com'
[90] ldap_dn_list_add-added CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com
[429] fnbamd_ldap_build_userbind_req-Trying DN ' CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com '
[196] __ldap_build_bind_req-Binding to ' CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com'
[852] fnbamd_ldap_send-sending 123 bytes to XXX.XXX.XXX.XXX
[864] fnbamd_ldap_send-Request is sent. ID 3
[815] __ldap_rxtx-state 6(User Bind resp)
[895] __fnbamd_ldap_read-Read 8
[895] __fnbamd_ldap_read-Read 102
[1075] fnbamd_ldap_recv-Response len: 104, svr: XXX.XXX.XXX.XXX
[756] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[778] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563)
[791] fnbamd_ldap_parse_response-ret=49
[882] __ldap_rxtx-Change state to 'User Binding'
[815] __ldap_rxtx-state 5(User Binding)
[425] fnbamd_ldap_build_userbind_req-No more DN left
[737] __ldap_error-
[726] __ldap_stop-svr 'ad_server'
[52] ldap_dn_list_del_all-Del CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 1824141631
[653] destroy_auth_session-delete session 1824141631

'Fnbamd_ldap_parse_response-error 49” means Invaild credentials (49)'
LDAP Error Codes, LDAP Error Codes is an Result Code indicating something went wrong.
There are really LDAP Result Codes and a lot of them well Indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid.

This is the AD equivalent of LDAP error code 49. 49 / 525

In summary, the error is not a problem with FortiGate, but an error message that occurred because the user’s account information registered in LDAP was incorrect.

Reference.

+ Account Information Confirmation Commands.
#dsquery user -name [admin full user name]
#dsquery user -samid [admin login name]
#check the admin password
# diagnose test authserver ldap [server name][user][password]


Contributors