PhenixID

PSD1070 – Common Active Directory LDAP bind errors

Fact

Microsoft Active Directory

Situation

A list of common Active Directory LDAP bind errors

Solution

  • 525 – user not found
  • 52e – invalid credentials
  • 530 – not permitted to logon at this time
  • 532 – password expired
  • 533 – account disabled
  • 701 – account expired
  • 773 – user must reset password
  • 775 – accound locked

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0×525 – user not found
DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.

 

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e – invalid credentials
DEC: 1326 – ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

 

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0×530 – not permitted to logon at this time
DEC: 1328 – ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.

 

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0×531 – not permitted to logon from this workstation
DEC: 1329 – ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.

 

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0×532 – password expired
DEC: 1330 – ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] – PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

 

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0×533 – account disabled
DEC: 1331 – ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] – ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.

 

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0×701 – account expired
DEC: 1793 – ERROR_ACCOUNT_EXPIRED (The user’s account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>]
ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

 

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0×773 – user must reset password
DEC: 1907 – ERROR_PASSWORD_MUST_CHANGE (The user’s password must be changed before logging on the
first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] – MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.

 

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0×775 – account locked out
DEC: 1909 – ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be
logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] – LOCKOUT
NOTE: Returns even if invalid password is presented.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se