Overview#
Here are the LDAP Result Codes you might see along with LDAP Result Code 49 which would cause Authentication FailuresWhen you see an entry similar to:
"The exception is [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data <HEX>, vece ]."
The hex values will resolve to a Microsoft Response Code that may provide more information.
Microsoft Active Directory LDAP Result Codes sub-codes for Bind Response:#
LDAP Result Code 49 sub-codes [1] for Authentication Failures:| Code | hex | DEC | Short Description | More Information | Comments |
|---|---|---|---|---|---|
| 49 | 525 | 1317 | LDAP_NO_SUCH_OBJECT | Entry does not exist. | |
| 49 | 52e | 1326 | ERROR_LOGON_FAILURE | Returns when username is valid but password/credential is invalid. | Will prevent most other errors from being displayed as noted. |
| 49 | 52f | 1327 | ERROR_ACCOUNT_RESTRICTION | Account Restrictions are preventing this user from signing in. | For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced. |
| 49 | 530 | 1328 | ERROR_INVALID_LOGON_HOURS | Time Restriction:Entry logon time restriction violation | |
| 49 | 531 | 1329 | ERROR_INVALID_WORKSTATION | Device Restriction:Entry not allowed to log on to this computer. | |
| 49 | 532 | 1330 | ERROR_PASSWORD_EXPIRED | Password Expiration: Entry password has expired LDAP User-Account-Control Attribute - ERROR_PASSWORD_EXPIRED | NOTE: Returns only when presented with valid username and password/credential. |
| 49 | 533 | 1331 | ERROR_ACCOUNT_DISABLED | Administratively Disabled: LDAP User-Account-Control Attribute - ACCOUNTDISABLE | NOTE: Returns only when presented with valid username and password/credential. |
| 49 | 568 | 1384 | ERROR_TOO_MANY_CONTEXT_IDS | During a logon attempt, the user's security context accumulated too many security Identifiers. (ie Group-AD) | |
| 49 | 701 | 1793 | ERROR_ACCOUNT_EXPIRED | LDAP Password Expiration: User-Account-Control Attribute - ACCOUNTEXPIRED | NOTE: Returns only when presented with valid username and password/credential. |
| 49 | 773 | 1907 | ERROR_PASSWORD_MUST_CHANGE | Password Expiration: Entry's password must be changed before logging on LDAP pwdLastSet: value of 0 indicates admin-required password change - MUST_CHANGE_PASSWD | NOTE: Returns only when presented with valid username and password/credential. |
| 49 | 775 | 1909 | ERROR_ACCOUNT_LOCKED_OUT | Intruder Detection:Entry is currently locked out and may not be logged on to LDAP User-Account-Control Attribute - LOCKOUT | NOTE: Returns even if invalid password is presented |
| 49 | 80090346 | .. | ERROR_ACCOUNT_LOCKED_OUT | AcceptSecurityContext error | SEC_E_BAD_BINDINGS - Client's supplied Security Support Provider Interface (SSPI) Channel Bindings were incorrect. |
Common Active Directory Bind Errors will often be shown within the Windows Event Log as Event 4625
More Information#
There might be more information for this subject on one of the following:- Event 4625
- LDAP Result Codes
- LDAP and Active Directory
- LDAP_INVALID_CREDENTIALS
- Microsoft Active Directory
- User-Account-Control Attribute
[#1] Derived from various sources including http://msdn.microsoft.com/en-us/library/windows/desktop/ms681386(v=vs.85).aspx
2012-10-17
