Symantec VIP Enterprise Gateway LDAP error code- 49
search cancel

Symantec VIP Enterprise Gateway LDAP error code- 49

book

Article ID: 164943

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

LDAP: error code 49 shows in server.log.

ERROR: "auth.BaseLoginModule Failed login for <username>: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 532, vece ]"

ERROR "2019-08-29 15:46:47.335 GMT-0500" 10.4.145.240 LDAPSync 0 0 18478  "actor=LDAPSyncService,text=[LDAPStore:getConnection] Could not bind to the directory server.VsException [error=18478] [javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09042A\, comment: AcceptSecurityContext error\, data 532\, v3839 ]],op=Synchronization"

Environment

VIP Enterprise Gateway

Cause

LDAP Error 49 implies an authentication failure when the VIP Enterprise Gateway (EGW) attempts to bind to the LDAP host specified in the EGW user store settings. Typically, the Distinguished Name (DN) or the password is invalid.

LDAP bind errors are returned by the LDAP connection IP address and captured in the VIP validation server logs. In the following example, error 49 and the specific sub-code (in hex) can be seen as returned from 10.4.5.240: 

ERROR "2019-08-29 15:46:47.335 GMT-0500" 10.4.5.240 LDAPSync 0 0 18478  "actor=LDAPSyncService,text=[LDAPStore:getConnection] Could not bind to the directory server.VsException [error=18478] [javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09042A\, comment: AcceptSecurityContext error\, data 532\, v3839 ]],op=Synchronization"

LDAP Result Code 49 sub-codes for Authentication Failures (source: https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes--1300-1699-):

Most common errors found:

  • 525 = user object not found
  • 52e = invalid password/credential
  • 53f = credential policy violation
  • 530 = time restriction in place
  • 531 = not permitted to logon at this workstation
  • 532 = password expired / DN username mismatch
  • 533 = account disabled
  • 568 = too many context identifiers
  • 701 = account expired
  • 773 = username/password valid, must reset password
  • 775 = account lockout

Resolution

532 can also be returned if the DN does not match the  AD username. To resolve, change the field User DN on the User Stores page to use the Distinguished Name name from Active Directory:

Steps to check the DN for a user object.

  • Open Active Directory Users and Computers.
  • Search for the user.
  • Open the Properties of the user and click the 'attribute editor' tab.
  • Check the Distinguished Name (DN) attribute. This value can be used in the 'UserDN'  field in the VIP EG User Store settings.

Attachments