Reset Search
 

 

Article

KB17098 - LDAP/AD authentication breaks and logs "Invalid credentials: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece" to access logs

« Go Back

Information

 
Last Modified Date8/2/2015 8:34 PM
Synopsis

An authentication server is a database that stores user credentials—username and password—and typically group information.  Integration with external authentication servers is an integral part of the PCS access management framework and is supported on all Secure Access products.

PCS platform supports Windows NT Domain, Active Directory, RADIUS, LDAP, NIS, RSA ACE/Server, SAML and eTrust SiteMinder.

Problem or Goal

Windows 2003/2008 authentication intermittently breaks with the following message logged to access logs.

"Could not connect to LDAP server ABC: Failed binding to admin DN: [49] Invalid credentials: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece"

Cause
Solution

The information (between "data" and "vece") embedded in log message are WELL DEFINED REASON STRINGS.

For example G., 775 is “user account locked”.  Some of the other reason strings are:
 

52e invalid credentials
525 user not found
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password



Sometimes these messages are intermittent due to "account lockout duration" policies.  The account lockout duration can be found at:
 

Windows server 2003: Domain Security Policy > Security Settings > Account Policies > Account Lockout Policies > Account Lockout Duration.

Windows Server 2008: Administrative Tools > Group Policy Management > Forest: > Domain (select the domain) > Domain Controller > Default Domain Controller(right click and edit) > Computer Configuration > Policies > Windows Settings > Security settings > Account settings > Account Lockout Policies > Account Lockout Duration.


By default, the time is 30 minutes. Hence after 30 minutes the lock will be removed; thus being perceived as intermittent. You can also contact your AD administrator and manually unlock on a per-request basis.

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255