NetScaler – LDAP Authentication (Error 49)

Today I got a call from my customer that a specific user couldn’t login over the NetScaler Gateway. After entering the username and password the user was left with the message “Invalid credentials. Please try again”.

2017-02-15-12_50_22-netscaler-gateway

After starting a CLI session, looking into the authentication process with the commands:

shell
cd /tmp
cat aaad.debug

I found the following error code:

Wed Feb 15 09:59:55 2017

/home/build/rs_111_48_7_RTM/usr.src/netscaler/aaad/ldap_common.c[233]: ns_show_ldap_err_string LDAP error string: <<80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 531, v2580>>

Wed Feb 15 09:59:55 2017

/home/build/rs_111_48_7_RTM/usr.src/netscaler/aaad/ldap_common.c[418]: ns_ldap_check_result LDAP action failed (error 49): Invalid credentials

You will get error code 531, if there is a logon restriction configured within the user account.

49 / 531     RESTRICTED_TO_SPECIFIC_MACHINES     Indicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.

http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes

After adding the Domain Controller to the allowed logon computers the authentication was succesfull.

2017-02-15-13_02_21-ahpi-mc01-desktop-viewer

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: