Overview#

Here are the LDAP Result Codes you might see along with LDAP Result Code 49 which would cause Authentication Failures

When you see an entry similar to:

"The exception is [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data <HEX>, vece ]."

The HEX values will resolve to a Microsoft Response Code that may provide more information.

Microsoft Active Directory LDAP Result Codes sub-codes for Bind Response:#

LDAP Result Code 49 sub-codes [1] for Authentication Failures:

EDirectory LDAP Result Codes sub-codes for Bind Response:#

CodeHEXDECShort DescriptionMore InformationComments
495251317LDAP_NO_SUCH_OBJECTEntry does not exist.
4952e1326ERROR_LOGON_FAILUREReturns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
4952f1327ERROR_ACCOUNT_RESTRICTIONAccount Restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced.
495301328ERROR_INVALID_LOGON_HOURSTime Restriction:Entry logon time restriction violation
495311329ERROR_INVALID_WORKSTATIONDevice Restriction:Entry not allowed to log on to this computer.
495321330ERROR_PASSWORD_EXPIREDPassword Expiration: Entry password has expired LDAP User-Account-Control Attribute - ERROR_PASSWORD_EXPIREDNOTE: Returns only when presented with valid username and password/credential.
495331331ERROR_ACCOUNT_DISABLEDAdministratively Disabled: LDAP User-Account-Control Attribute - ACCOUNTDISABLENOTE: Returns only when presented with valid username and password/credential.
495681384ERROR_TOO_MANY_CONTEXT_IDSDuring a logon attempt, the user's security context accumulated too many security Identifiers. (ie Group-AD)
497011793ERROR_ACCOUNT_EXPIREDLDAP Password Expiration: User-Account-Control Attribute - ACCOUNTEXPIREDNOTE: Returns only when presented with valid username and password/credential.
497731907ERROR_PASSWORD_MUST_CHANGEPassword Expiration: Entry's password must be changed before logging on LDAP pwdLastSet: value of 0 indicates admin-required password change - MUST_CHANGE_PASSWDNOTE: Returns only when presented with valid username and password/credential.
497751909ERROR_ACCOUNT_LOCKED_OUTIntruder Detection:Entry is currently locked out and may not be logged on to LDAP User-Account-Control Attribute - LOCKOUTNOTE: Returns even if invalid password is presented

More Information#

There might be more information for this subject on one of the following:
[#1] Derived from various sources including http://msdn.microsoft.com/en-us/library/windows/desktop/ms681386(v=vs.85).aspx 2012-10-17

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-39) was last changed on 22-May-2017 11:20 by jim