Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ycho
Staff
Staff

Created on ‎11-15-2020 10:29 PM Edited on ‎09-01-2025 11:29 PM By Moderator

Article Id 197775

Technical Tip: LDAP Error message ‘fnbamd_ldap_parse_response-Error 49’

Description


This article describes what debug log means when ‘fnbamd_ldap_parse_response-Error 49’ is checked, and what is the solution to fix it.

When the client accesses the LDAP Server via FortiGate, the error messages captured by FortiGate are shown as below, and cannot access it normally.

 

fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563)

 

Scope

 

FortiGate.


Solution


In fnbamd debug logs, the error message is found when trying to log on via the LDAP server.

 

[584] fnbamd_ldap_build_dn_search_req-base:'DC=itwea,dc=com' filter:sAMAccountName=xxxxx
[1100] __fnbamd_ldap_dn_entry-Get DN 'CN=XXX,CN=XXX,DC=XXX,DC=com'
[90] ldap_dn_list_add-added CN=XXX,CN=XXX,DC=XXX,DC=com
[52] ldap_dn_list_del_all-Del CN=XXX,CN=XXX,DC=XXX,DC=com
[2821] fnbamd_ldap_result-Result for ldap svr XXX.XXX.XXX.XXX is SUCCESS

[1552] fnbamd_ldap_init-search filter is: sAMAccountName=XXX
[1561] fnbamd_ldap_init-search base is: DC=XXX,dc=com
[584] fnbamd_ldap_build_dn_search_req-base:'DC=XXX,dc=com' filter:sAMAccountName=XXX
[1100] __fnbamd_ldap_dn_entry-Get DN 'CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com'
[90] ldap_dn_list_add-added CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com
[429] fnbamd_ldap_build_userbind_req-Trying DN ' CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com '
[196] __ldap_build_bind_req-Binding to ' CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com'
[852] fnbamd_ldap_send-sending 123 bytes to XXX.XXX.XXX.XXX
[864] fnbamd_ldap_send-Request is sent. ID 3
[815] __ldap_rxtx-state 6(User Bind resp)
[895] __fnbamd_ldap_read-Read 8
[895] __fnbamd_ldap_read-Read 102
[1075] fnbamd_ldap_recv-Response len: 104, svr: XXX.XXX.XXX.XXX
[756] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[778] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563)
[791] fnbamd_ldap_parse_response-ret=49
[882] __ldap_rxtx-Change state to 'User Binding'
[815] __ldap_rxtx-state 5(User Binding)
[425] fnbamd_ldap_build_userbind_req-No more DN left
[737] __ldap_error-
[726] __ldap_stop-svr 'ad_server'
[52] ldap_dn_list_del_all-Del CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 1824141631
[653] destroy_auth_session-delete session 1824141631

'Fnbamd_ldap_parse_response-error 49' means the FortiGate received LDAP error code 49 - Invalid Credentials.

 

If the remote server is an Active Directory (AD) server, an additional AcceptSecurityContext error is returned, which gives more detail regarding the error.

 

Below is a summary of AcceptSecurityContext error codes and their meanings:

  • 525 - User not found: This error is returned when an invalid username is provided, indicating that the specified user does not exist in the LDAP directory.

  • 52e - Invalid credentialsIt signifies that a valid username is provided, but the supplied password or credentials are incorrect. This error typically prevents other errors from being displayed because authentication cannot proceed without valid credentials.

  • 52f - Account restrictions: This indicates that the username is valid, but logon is blocked due to restrictions such as Protected Users group membership preventing NTLM authentication.

  • 530 - Not permitted to logon at this time: This error is returned when a valid username and password are supplied during periods when login is restricted. There may be time-based access restrictions in place.

  • 531 - Not permitted to logon from this workstationReturned when a valid username and password are provided, but the user is restricted from using the workstation from which the login attempt was made. Workstation-based access restrictions are in effect.

  • 532 - Password expiredThis error occurs when a valid username is supplied, and the provided password is correct but has expired. The user is required to change their password.

  • 533 - Account disabledReturned when a valid username and password are provided, but the user's account has been disabled. Authentication is prevented due to the disabled status of the account.

  • 701 - Account expiredThis error is returned when a valid username and password are supplied, but the user's account has expired, preventing successful authentication.

  • 773 - User must reset passwordIf a valid username and password are supplied, this error indicates that the user is required to reset their password immediately before logging in for the first time or after an administrator has reset the password.

  • 775 - Account locked outThis error is returned when a valid username is supplied, but the user's account is locked out due to too many failed login attempts. It is important to note that this error is returned even if the password provided is valid.

 

These error codes provide specific information about the status of user accounts and authentication attempts in Active Directory-based systems, making it easier for administrators to diagnose and resolve authentication-related issues. 

 

If addressing this on the LDAP server does not resolve the issue, the LDAP service may need to be restarted on the remote server side.

See Technical Tip: LDAP authentication error: 'AcceptSecurityContext'.

 

Note:

In the case when the username has been changed in the LDAP server, previously, an error  'Fnbamd_ldap_parse_response-error 49' is present in debug; however, the user is still able to access the resource (RDP/Server) using user credentials but not with FortiGate-related authentication.

 

Check whether the modified username has been reflected on the LDAP server properly. For example, if the original username is 'John', the LDAP admin processes to change the name 'John' to 'JohnA' along with the display name; however, the reflection is not showing under the LDAP server.

 

In 'Active Directory Users and Computers' under OU, LDAP still presents the previous username 'John'. This will cause LDAP authentication to fail from FortiGate.

 

Solution:

Instead of changing the username in the 'user property tab', right-click the user name and choose 'rename' in the LDAP server, try again with a sign-in should work as expected:

 

rename.jpg

 

Reference.
Account Information Confirmation Commands.

 

#dsquery user -name [admin full user name]
#dsquery user -samid [admin login name]
#check the admin password
diagnose test authserver ldap [server name][user][password]

Labels:
10458
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.