LDAP error code 49 seen in PAM Tomcat Logs
search cancel

LDAP error code 49 seen in PAM Tomcat Logs

book

Article ID: 406247

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Reviewing the Tomcat logs you see an LDAP error like:

For example -> the command LDAP error code 49:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090597, comment: AcceptSecurityContext error, data 52e, v4563]

With Active Directory, the LDAP error 49 may appear for multiple reasons. We need to focus on the code right after data.  The data code gives the exact reason for unsuccessful authentication. 

Cause

Notice the BOLD above. In this example we see 52e which is "Invalid credentials".  There can be many different causes. Here is a list of common Active Directory specific data error code associated with LDAP error 49:

  • 525 - User not found
  • 52e - Invalid credentials
  • 52f -  Account Restrictions
  • 530 - Not permitted to logon at this time
  • 531 - Not permitted to logon at this workstation
  • 532 - Password expired
  • 533 - Account disabled
  • 701 - Account expired
  • 773 - User must reset password 
  • 775 - User account locked

Resolution

The possible data codes and how to address them in PAM and LDAP below.

  • 525 - User not found

    Either the account no longer exists and should be deleted in PAM, or the DN was entered incorrectly in the PAM target account and should be reviewed.

  • 52e - Invalid credentials

    Confirm password and credentials. Verify if the Distinguished Name (DN) is modified either in CA PAM or in the LDAP, this DN must be same in CA PAM and in LDAP. 

  • 52f -  Account Restrictions

    Account in Protected User Group -> NTLM Disabled -> Configure PAM AD Application to use Kerberos as a workaround

  • 530 - Not permitted to logon at this time

    Check for time restriction on the user's account in AD

  • 531 - Not permitted to logon at this workstation

    This is not a common error with PAM. This error indicates a "Logon failure: user not allowed to log on from this workstation" error, meaning the user's Active Directory account has workstation restrictions preventing it from logging in from the current machine.  Check LDAP under the Account" tab, specifically within the "Log On To..." button, which lists the allowed or restricted computers for that user account. 

  • 532 - Password expired

    Password has expired in AD

  • 533 - Account disabled

    Account is disabled. Check LDAP logs to confirm account is ENABLED

  • 701 - Account expired

    Similar to code "533" but the account is expired, not disabled.  In either case, if "data 701" is seen, confirm the account is enabled.

  • 773 - User must reset password

    Shouldn't be using this Account Options when integrating with PAM

  • 775 - User account locked

    The user that is rotating the password doesn't have AD Delegation to unlock the account
Powered by Wolken Software