Description
This article describes the most common LDAP authentication error codes.
Scope
FortiGate.
Solution
A quick list of common Active Directory LDAP bind errors and their meaning, If the bind fails, the LDAP server will return an error code that can be read from the debug/ Wireshark:
Code
0x525 <----- User not found.
0x52e <----- Invalid credentials.
0x530 <----- Not permitted to log on at this time.
0x531 <----- Not permitted to log on from this workstation.
0x532 <----- Password expired.
0x533 <----- Account disabled.
0x701 <----- Account expired.
0x773 <----- User has to reset password.
0x775 <----- Account locked out.
0x525 - User not found: This error means the specified user could not be located in the LDAP directory.
- Ensure that the username is spelled correctly and matches the directory format.
- Verify that the user is in the expected Organizational Unit (OU) and within the search base scope.
0x52e - Invalid credentials: This indicates that the username and/or password is incorrect.
- Double-check the password and confirm any recent password changes if using a service account.
- Additionally, ensure that the account isn't locked or subject to restrictions.
0x530 - Not permitted to log on at this time: This error occurs when the account has logon time restrictions.
- Double-check the password and confirm any recent password changes if using a service account.
- Additionally, ensure that the account is not locked or subject to restrictions.
- Review the account’s logon time settings in Active Directory and adjust them if the user needs access outside permitted hours.
0x531 - Not permitted to logon from this workstation: This means the user account is restricted to logging in from certain workstations. Check the user’s logon workstation settings in Active Directory and adjust restrictions or confirm that the user is logging in from an allowed device.
0x532 - Password expired: This indicates that the user’s password has expired and needs to be reset.
- Reset the password in Active Directory or advise the user to change it.
- Ensure users are aware of password expiration policies.
0x533 - Account disabled: This error means the user account is disabled in Active Directory. Re-enable the account if needed, and confirm with the administrator whether it was intentionally disabled.
0x701 - Account expired: This means the account itself has expired and is no longer valid. Extend the account expiration date or recreate a new account if needed.
0x773 - User has to reset password: This indicates that the user is required to change their password before logging in, typically for new accounts or accounts with recently reset passwords. Instruct the user to reset the password upon the next logon.
0x775 - Account locked out: This means the account is locked due to repeated failed login attempts. Unlock the account in Active Directory, and check if the lockout was caused by a user error or a potential security concern, such as unauthorized access attempts.
Results:
Sample output from Debug:
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[851] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v3839) <----- Invalid credentials.
From Wireshark.
Related articles:
