Symptoms

There are several common LDAP error codes which indicate an issue with the fields being specified when attempting to configure AD LDAP external authentication. Example: Error executing command. Failure: 400 Bad Request. Server message: Failed to verify configuration configuration-name: An authentication error occurred while accessing the naming or directory service: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] The AD-specific error code is highlighted above. The following list contains some common codes and their meaning: 525 - user not found.52e - invalid credentials.530 - not permitted to logon at this time.531 - not permitted to logon at this workstation.532 - password expired.533 - account disabled.534 - The user has not been granted the requested logon type at this machine.701 - account has expired.773 - user must reset password.775 - user account locked. Common Active Directory LDAP bind errors: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 HEX: 0x525 - user not found DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.) NOTE: Returns when username is invalid. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 HEX: 0x52e - invalid credentials DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.) NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893 HEX: 0x530 - not permitted to logon at this time DEC: 1328 - ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.) NOTE: Returns only when presented with valid username and password/credential. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893 HEX: 0x531 - not permitted to logon from this workstation DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.) LDAP[userWorkstations: ] NOTE: Returns only when presented with valid username and password/credential. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893 HEX: 0x532 - password expired DEC: 1330 - ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.) LDAP[userAccountControl: ] - PASSWORDEXPIRED NOTE: Returns only when presented with valid username and password/credential. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893 HEX: 0x533 - account disabled DEC: 1331 - ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.) LDAP[userAccountControl: ] - ACCOUNTDISABLE NOTE: Returns only when presented with valid username and password/credential. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893 HEX: 0x701 - account expired DEC: 1793 - ERROR_ACCOUNT_EXPIRED (The user's account has expired.) LDAP[accountExpires: ] - ACCOUNTEXPIRED NOTE: Returns only when presented with valid username and password/credential. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893 HEX: 0x773 - user must reset password DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be changed before logging on the first time.) LDAP[pwdLastSet: ] - MUST_CHANGE_PASSWD NOTE: Returns only when presented with valid username and password/credential. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893 HEX: 0x775 - account locked out DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.) LDAP[userAccountControl: ] - LOCKOUT NOTE: Returns even if invalid password is presented

Cause

These are non-NetWorker LDAP related error codes.

Resolution

To confirm the config user Distinguished Name (DN) you can run the following:Windows Server: On the Domain Controller open an Administrator PowerShell prompt and use the Get-ADuser command to collect the Distinguished name of the bind account you wish to use: Syntax: Get-ADUser -Filter * -SearchBase "DC=DOMAIN,DC=DOMAIN" | findstr usernameExample:PS C:\Users\Administrator> Get-ADUser -Filter * -SearchBase "DC=emclab,DC=local" | findstr AdministratorDistinguishedName : CN=Administrator,CN=Users,DC=emclab,DC=localName : AdministratorSamAccountName : Administrator Linux Server: On a Linux server with ldapsearch (non-NetWorker tool) installed, run: Syntax: ldapsearch -x -h LDAP_SERVER -D "DOMAIN\AD_BIND_USER" -W cn=AD_BIND_USER -b DC=DOMAIN,DC=DOMAIN | grep dnExample:[root@rhel7 ~]# ldapsearch -x -h winsrvr2k16.emclab.local -D "emclab\Administrator" -W cn=Administrator -b DC=emclab,DC=local | grep dnEnter LDAP Password:dn: CN=Administrator,CN=Users,DC=emclab,DC=local Note: ldapsearch can be used when using AD or a Linux LDAP server.Use the DN as shown from your corresponding command output as the config user when adding your external authority.

Support Cases