Knowledge Center Search


 

LDAP/AD authentication breaks and logs "Invalid credentials: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece" to access logs

  [KB17098] Show KB Properties

  [KB17098] Hide KB Properties

Categories:
Knowledge Base ID: KB17098
Last Updated: 25 Jun 2010
Version: 2.0

Summary:

An authentication server is a database that stores user credentials—username and password—and typically group information.  Integration with external authentication servers is an integral part of the IVE access management framework and is supported on all Secure Access products.

The Juniper Networks Instant Virtual Extranet (IVE) platform supports Windows NT Domain, Active Directory, RADIUS, LDAP, NIS, RSA ACE/Server, SAML and eTrust SiteMinder.

Problem or Goal:

Windows 2003/2008 authentication intermittently breaks with the following message logged to access logs.

"Could not connect to LDAP server ABC: Failed binding to admin DN: [49] Invalid credentials: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece"

Solution:

The information (between "data" and "vece") embedded in log message are WELL DEFINED REASON STRINGS.

For example G., 775 is “user account locked”.  Some of the other reason strings are:
 

52e invalid credentials
525 user not found
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password



Sometimes these messages are intermittent due to "account lockout duration" policies.  The account lockout duration can be found at:
 

Windows server 2003: Domain Security Policy > Security Settings > Account Policies > Account Lockout Policies > Account Lockout Duration.

Windows Server 2008: Administrative Tools > Group Policy Management > Forest: > Domain (select the domain) > Domain Controller > Default Domain Controller(right click and edit) > Computer Configuration > Policies > Windows Settings > Security settings > Account settings > Account Lockout Policies > Account Lockout Duration.


By default, the time is 30 minutes. Hence after 30 minutes the lock will be removed; thus being perceived as intermittent. You can also contact your AD administrator and manually unlock on a per-request basis.

Purpose:
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.