Overview#

Here are the error codes you might see along with error 49, and their definitions.

Technically these are LDAP Result Codes as "0" implies success when performing a bind. However, we typically do not worry about the success results only the errors.

When you see an entry similar to:

"The exception is [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data <HEX>, vece ]."

The HEX values will resolve to a Microsoft Response Code that may provide more information.

AD LDAP Result Code 49 sub-codes [1] for Authentication Failures:#

LDAP CodeHEXDECShort DescriptionMore InformationComments
495251317LDAP_NO_SUCH_OBJECTEntry does not exist.
4952e1326ERROR_LOGON_FAILUREReturns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
4952f1327ERROR_ACCOUNT_RESTRICTIONAccount Restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced.
495301328ERROR_INVALID_LOGON_HOURSTime Restriction:Entry logon time restriction violation
495311329ERROR_INVALID_WORKSTATIONDevice Restriction:Entry not allowed to log on to this computer.
495321330ERROR_PASSWORD_EXPIREDPassword Expiration: Entry password has expired LDAP User-Account-Control Attribute - ERROR_PASSWORD_EXPIREDNOTE: Returns only when presented with valid username and password/credential.
495331331ERROR_ACCOUNT_DISABLEDAdministratively Disabled: LDAP User-Account-Control Attribute - ACCOUNTDISABLENOTE: Returns only when presented with valid username and password/credential.
495681384ERROR_TOO_MANY_CONTEXT_IDSDuring a logon attempt, the user's security context accumulated too many security Identifiers. (ie Group-AD)
497011793ERROR_ACCOUNT_EXPIREDLDAP Password Expiration: User-Account-Control Attribute - ACCOUNTEXPIREDNOTE: Returns only when presented with valid username and password/credential.
497731907ERROR_PASSWORD_MUST_CHANGEPassword Expiration: Entry's password must be changed before logging on LDAP pwdLastSet: value of 0 indicates admin-required password change - MUST_CHANGE_PASSWDNOTE: Returns only when presented with valid username and password/credential.
497751909ERROR_ACCOUNT_LOCKED_OUTIntruder Detection:Entry is currently locked out and may not be logged on to LDAP User-Account-Control Attribute - LOCKOUTNOTE: Returns even if invalid password is presented

More Information#

There might be more information for this subject on one of the following:
[#1] Derived from various sources including http://msdn.microsoft.com/en-us/library/windows/desktop/ms681386(v=vs.85).aspx 2012-10-17

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-37) was last changed on 09-Aug-2016 17:18 by jim