Common Active Directory Bind Errors


Here are the LDAP Result Codes you might see along with LDAP Result Code 49 which would cause Authentication Failures

When you see an entry similar to:

"The exception is [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data <HEX>, vece ]."

The hex values will resolve to a Microsoft Response Code that may provide more information.

Microsoft Active Directory LDAP Result Codes sub-codes for Bind Response:#

LDAP Result Code 49 sub-codes [1] for Authentication Failures:
CodehexDECShort DescriptionMore InformationComments
495251317LDAP_NO_SUCH_OBJECTEntry does not exist.
4952e1326ERROR_LOGON_FAILUREReturns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
4952f1327ERROR_ACCOUNT_RESTRICTIONAccount Restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced.
495301328ERROR_INVALID_LOGON_HOURSTime Restriction:Entry logon time restriction violation
495311329ERROR_INVALID_WORKSTATIONDevice Restriction:Entry not allowed to log on to this computer.
495321330ERROR_PASSWORD_EXPIREDPassword Expiration: Entry password has expired LDAP User-Account-Control Attribute - ERROR_PASSWORD_EXPIREDNOTE: Returns only when presented with valid username and password/credential.
495331331ERROR_ACCOUNT_DISABLEDAdministratively Disabled: LDAP User-Account-Control Attribute - ACCOUNTDISABLENOTE: Returns only when presented with valid username and password/credential.
495681384ERROR_TOO_MANY_CONTEXT_IDSDuring a logon attempt, the user's security context accumulated too many security Identifiers. (ie Group-AD)
497011793ERROR_ACCOUNT_EXPIREDLDAP Password Expiration: User-Account-Control Attribute - ACCOUNTEXPIREDNOTE: Returns only when presented with valid username and password/credential.
497731907ERROR_PASSWORD_MUST_CHANGEPassword Expiration: Entry's password must be changed before logging on LDAP pwdLastSet: value of 0 indicates admin-required password change - MUST_CHANGE_PASSWDNOTE: Returns only when presented with valid username and password/credential.
497751909ERROR_ACCOUNT_LOCKED_OUTIntruder Detection:Entry is currently locked out and may not be logged on to LDAP User-Account-Control Attribute - LOCKOUTNOTE: Returns even if invalid password is presented
49 80090346..ERROR_ACCOUNT_LOCKED_OUTAcceptSecurityContext errorSEC_E_BAD_BINDINGS - Client's supplied Security Support Provider Interface (SSPI) Channel Bindings were incorrect.

Common Active Directory Bind Errors will often be shown within the Windows Event Log as Event 4625

More Information#

There might be more information for this subject on one of the following:
[#1] Derived from various sources including http://msdn.microsoft.com/en-us/library/windows/desktop/ms681386(v=vs.85).aspx 2012-10-17