Description

This article describes the most common LDAP authentication error codes.

Scope

FortiGate.

Solution

A quick list of common Active Directory LDAP bind errors and their meaning, If the bind fails, the LDAP server will return an error code that can be read from the debug/ Wireshark:

Code
0x525 <----- User not found.
0x52e <----- Invalid credentials.
0x530 <----- Not permitted to log on at this time.
0x531 <----- Not permitted to log on from this workstation.
0x532 <----- Password expired.
0x533 <----- Account disabled.
0x701 <----- Account expired.
0x773 <----- User has to reset password.
0x775  <----- Account locked out.

0x525 - User not found: This error means the specified user could not be located in the LDAP directory.

• Ensure that the username is spelled correctly and matches the directory format.
• Verify that the user is in the expected Organizational Unit (OU) and within the search base scope.
  
  

0x52e - Invalid credentials: This indicates that the username and/or password is incorrect.

• Double-check the password and confirm any recent password changes if using a service account.
• Additionally, ensure that the account isn't locked or subject to restrictions.
  

0x530 - Not permitted to log on at this time: This error occurs when the account has logon time restrictions.

• Double-check the password and confirm any recent password changes if using a service account.
• Additionally, ensure that the account is not locked or subject to restrictions.
• Review the account’s logon time settings in Active Directory and adjust them if the user needs access outside permitted hours.
  
  

0x531 - Not permitted to logon from this workstation: This means the user account is restricted to logging in from certain workstations. Check the user’s logon workstation settings in Active Directory and adjust restrictions or confirm that the user is logging in from an allowed device.

0x532 - Password expired: This indicates that the user’s password has expired and needs to be reset.

• Reset the password in Active Directory or advise the user to change it.
• Ensure users are aware of password expiration policies.
  
  

0x533 - Account disabled: This error means the user account is disabled in Active Directory. Re-enable the account if needed, and confirm with the administrator whether it was intentionally disabled.

0x701 - Account expired: This means the account itself has expired and is no longer valid. Extend the account expiration date or recreate a new account if needed.

0x773 - User has to reset password: This indicates that the user is required to change their password before logging in, typically for new accounts or accounts with recently reset passwords. Instruct the user to reset the password upon the next logon.

0x775 - Account locked out: This means the account is locked due to repeated failed login attempts. Unlock the account in Active Directory, and check if the lockout was caused by a user error or a potential security concern, such as unauthorized access attempts.

Results:

Sample output from Debug:
     

diag debug disable
diag debug reset
diagnose debug app fnbamd -1

diagnose debug en

[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[851] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v3839)    <----- Invalid credentials.

Note: In the VDOM environment, fnbamd debug commands work under:

config vdom

edit <name of vdom>

To capture a packet from the Firewall CLI, use the following command:

diagnose sniffer packet any 'host 10.217.130.221 and port 389 or port 636' 6 0 l

From Wireshark:

Related article:

Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd