An LDAP has been configured on the firewall as per the below article: Technical Tip: How to configure FortiGate to use an LDAP server

Sometimes, users are not able to log in to SSL VPN where this LDAP is pointed to authenticate those users. This error is related to LDAP authentication. 

Debugs:

fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-XXXXXX, comment: AcceptSecurityContext error, data XXX, vXXXX)

This error is coming from the LDAP server itself, and something is not being accepted on the LDAP server.

If the pcap is captured for this, it will look like this:

LDAPMessage bindResponse(3) invalidCredentials (80090308: LdapErr: DSID- XXXXX, comment: AcceptSecurityContext error, data XXX, vXXX)
        messageID: 3
        protocolOp: bindResponse (1)
            bindResponse
                resultCode: invalidCredentials (49)
                matchedDN: 
                errorMessage: 80090308: LdapErr: DSID-XXXXX, comment: AcceptSecurityContext error, data XXX, vXXXX
        [Response To: 29]
        [Time: 0.111125000 seconds]

This issue may occur when the user account is expired on the LDAP server. For more details about this error and LDAP error codes, see Technical Tip: LDAP Error message ‘fnbamd_ldap_parse_response-Error 49’

After checking the above article and the LDAP codes, and still facing the issue, restart the LDAP server and check. If the issue persists, use another bind format for the service account used to query these requests.

username\administrator
administrator@domain
cn=administrator,cn=users,dc=domain,dc=com

Another Example of this.

2025-07-22 11:21:07 [1003] __ldap_rxtx-state 6(User Bind resp)
2025-07-22 11:21:07 [1127] __fnbamd_ldap_read-Read 8
2025-07-22 11:21:07 [1233] fnbamd_ldap_recv-Leftover 2
2025-07-22 11:21:07 [1127] __fnbamd_ldap_read-Read 102
2025-07-22 11:21:07 [1306] fnbamd_ldap_recv-Response len: 104, svr: 10.3.2.25
2025-07-22 11:21:07 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
2025-07-22 11:21:07 [1009] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090457, comment: AcceptSecurityContext error, data 52f, v3839)

In this case, the user needs to be removed from the protected group on the LDAP server.

Important note:

1. Using the full username@domain format on the service account, referred to as the User Principal Name (UPN), during an LDAP authentication attempt resolves the 'invalid credentials' error by supplying a complete, unambiguous identifier. This allows the service account FortiGate to query the LDAP successfully, avoiding confusion that may occur when only a partial username is used.
2. It is crucial to ensure that the user account is properly associated with the correct domain in Active Directory. Otherwise, a 'permission denied' error may occur during authentication.

Related documents:

Configuring an LDAP server

Troubleshooting Tip: FortiGate LDAP authentication errors

Technical Tip: IKEv2 dial up VPN with LDAP authentication