Today I got a call from my customer that a specific user couldn’t login over the NetScaler Gateway. After entering the username and password the user was left with the message “Invalid credentials. Please try again”.
After starting a CLI session, looking into the authentication process with the commands:
shell
cd /tmp
cat aaad.debug
I found the following error code:
Wed Feb 15 09:59:55 2017
/home/build/rs_111_48_7_RTM/usr.src/netscaler/aaad/ldap_common.c[233]: ns_show_ldap_err_string LDAP error string: <<80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 531, v2580>>
Wed Feb 15 09:59:55 2017
/home/build/rs_111_48_7_RTM/usr.src/netscaler/aaad/ldap_common.c[418]: ns_ldap_check_result LDAP action failed (error 49): Invalid credentials
You will get error code 531, if there is a logon restriction configured within the user account.
49 / 531 RESTRICTED_TO_SPECIFIC_MACHINES Indicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.
http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes
After adding the Domain Controller to the allowed logon computers the authentication was succesfull.
Vielen Dank!