NetScaler – LDAP Authentication (Error 49)

Reading Time: < 1 minute

Today I got a call from my customer that a specific user couldn’t login over the NetScaler Gateway. After entering the username and password the user was left with the message “Invalid credentials. Please try again”.

2017-02-15-12_50_22-netscaler-gateway

After starting a CLI session, looking into the authentication process with the commands:

shell
cd /tmp
cat aaad.debug

I found the following error code:

Wed Feb 15 09:59:55 2017

/home/build/rs_111_48_7_RTM/usr.src/netscaler/aaad/ldap_common.c[233]: ns_show_ldap_err_string LDAP error string: <<80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 531, v2580>>

Wed Feb 15 09:59:55 2017

/home/build/rs_111_48_7_RTM/usr.src/netscaler/aaad/ldap_common.c[418]: ns_ldap_check_result LDAP action failed (error 49): Invalid credentials

You will get error code 531, if there is a logon restriction configured within the user account.

49 / 531     RESTRICTED_TO_SPECIFIC_MACHINES     Indicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.

http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes

After adding the Domain Controller to the allowed logon computers the authentication was succesfull.

2017-02-15-13_02_21-ahpi-mc01-desktop-viewer

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *