Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff

Created on ‎11-08-2020 11:24 PM Edited on ‎11-17-2025 12:07 AM By Community Manager

Article Id 195337

Troubleshooting Tip: FortiGate LDAP authentication errors

Description

 

This article describes the most common LDAP authentication error codes.

 

Scope

 

FortiGate.

Solution

 

A quick list of common Active Directory LDAP bind errors and their meaning, If the bind fails, the LDAP server will return an error code that can be read from the debug/ Wireshark:

 

Code
0x525 <----- User not found.
0x52e <----- Invalid credentials.
0x530 <----- Not permitted to log on at this time.
0x531 <----- Not permitted to log on from this workstation.
0x532 <----- Password expired.
0x533 <----- Account disabled.
0x701 <----- Account expired.
0x773 <----- User has to reset password.
0x775  <----- Account locked out.

 

0x525 - User not found: This error means the specified user could not be located in the LDAP directory.

  • Ensure that the username is spelled correctly and matches the directory format.
  • Verify that the user is in the expected Organizational Unit (OU) and within the search base scope.

0x52e - Invalid credentials: This indicates that the username and/or password is incorrect.

  • Double-check the password and confirm any recent password changes if using a service account.
  • Additionally, ensure that the account isn't locked or subject to restrictions.

0x530 - Not permitted to log on at this time: This error occurs when the account has logon time restrictions.

  • Double-check the password and confirm any recent password changes if using a service account.
  • Additionally, ensure that the account is not locked or subject to restrictions.
  • Review the account’s logon time settings in Active Directory and adjust them if the user needs access outside permitted hours.

0x531 - Not permitted to logon from this workstation: This means the user account is restricted to logging in from certain workstations. Check the user’s logon workstation settings in Active Directory and adjust restrictions or confirm that the user is logging in from an allowed device.

0x532 - Password expired: This indicates that the user’s password has expired and needs to be reset.

  • Reset the password in Active Directory or advise the user to change it.
  • Ensure users are aware of password expiration policies.

0x533 - Account disabled: This error means the user account is disabled in Active Directory. Re-enable the account if needed, and confirm with the administrator whether it was intentionally disabled.

 

0x701 - Account expired: This means the account itself has expired and is no longer valid. Extend the account expiration date or recreate a new account if needed.

 

0x773 - User has to reset password: This indicates that the user is required to change their password before logging in, typically for new accounts or accounts with recently reset passwords. Instruct the user to reset the password upon the next logon.

 

0x775 - Account locked out: This means the account is locked due to repeated failed login attempts. Unlock the account in Active Directory, and check if the lockout was caused by a user error or a potential security concern, such as unauthorized access attempts.

 

Results:

Sample output from Debug:
     

diagnose debug disable
diagnose debug reset
diagnose debug app fnbamd -1

diagnose debug enable

 

[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[851] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v3839)    <----- Invalid credentials.

 

Note: In the VDOM environment, fnbamd debug commands work under:

 

config vdom

edit <name of vdom>

 

To capture a packet from the Firewall CLI, use the following command:

 

diagnose sniffer packet any 'host 10.217.130.221 and port 389 or port 636' 6 0 l

 

From Wireshark:

 

'AcceptSecurityContext error code '52e' - Invalid credentials': It signifies that a valid username is provided, but the supplied password or credentials are incorrect. This error typically prevents other errors from being displayed because authentication cannot proceed without valid credentials.

 

Below is a summary of AcceptSecurityContext error codes and their meanings:

  • 525 - User not found: This error is returned when an invalid username is provided, indicating that the specified user does not exist in the LDAP directory.

  • 52e - Invalid credentialsIt signifies that a valid username is provided, but the supplied password or credentials are incorrect. This error typically prevents other errors from being displayed because authentication cannot proceed without valid credentials.

  • 52f - Account restrictions: This indicates that the username is valid, but logon is blocked due to restrictions such as Protected Users group membership preventing NTLM authentication.

  • 530 - Not permitted to log on at this time: This error is returned when a valid username and password are supplied during periods when login is restricted. There may be time-based access restrictions in place.

  • 531 - Not permitted to log on from this workstationReturned when a valid username and password are provided, but the user is restricted from using the workstation from which the login attempt was made. Workstation-based access restrictions are in effect.

  • 532 - Password expiredThis error occurs when a valid username is supplied, and the provided password is correct but has expired. The user is required to change their password.

  • 533 - Account disabledReturned when a valid username and password are provided, but the user's account has been disabled. Authentication is prevented due to the disabled status of the account.

  • 701 - Account expiredThis error is returned when a valid username and password are supplied, but the user's account has expired, preventing successful authentication.

  • 773 - User must reset passwordIf a valid username and password are supplied, this error indicates that the user is required to reset their password immediately before logging in for the first time or after an administrator has reset the password.

  • 775 - Account locked outThis error is returned when a valid username is supplied, but the user's account is locked out due to too many failed login attempts. It is important to note that this error is returned even if the password provided is valid.

Related article:

Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd 

Labels:
22469
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.