When authentication fails while using Active Directory , Active Directory returns its own error codes to indicate the reason for the failure; you must retrieve and handle or display these errors appropriately. Below are some of the most common errors you may receive, including example error messages and reasons for the error. 525 - user not found 52e - invalid credentials 530 - not permitted to logon at this time 532 - password expired 533 - account disabled 701 - account expired 773 - user must reset password 775 - account locked 525 - user not found - Returned when an invalid username is supplied. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 HEX: 0x525 - user not found DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.) 52e - invalid credentials Returned when a valid username is supplied but an invalid password/credential is supplied. If this error is received, it will prevent most other errors from being displayed 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 HEX: 0x52e - invalid credentials DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.) 530 - not permitted to logon at this time Returned when a valid username and password/credential are supplied during times when login is restricted. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893 HEX: 0x530 - not permitted to logon at this time DEC: 1328 - ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation. 531 - not permitted to logon from this workstation Returned when a valid username and password/credential are supplied, but the user is restricted from using the workstation where the login was attempted. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893 HEX: 0x531 - not permitted to logon from this workstation DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.) LDAP[userWorkstations: <multivalued list of workstation names>] 532 - password expired Returned when a valid username is supplied, and the supplied password is valid but expired. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893 HEX: 0x532 - password expired DEC: 1330 - ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.) LDAP[userAccountControl: <bitmask=0x00800000>] - PASSWORDEXPIRED 533 - account disabled Returned when a valid username and password/credential are supplied but the account has been disabled. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893 HEX: 0x533 - account disabled DEC: 1331 - ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.) LDAP[userAccountControl: <bitmask=0x00000002>] - ACCOUNTDISABLE 701 - account expired Returned when a valid username and password/credential are supplied but the account has expired. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893 HEX: 0x701 - account expired DEC: 1793 - ERROR_ACCOUNT_EXPIRED (The user's account has expired.) LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] - ACCOUNTEXPIRED 773 - user must reset password Returned when a valid username and password/credential are supplied, but the user must change their password immediately (before logging in for the first time, or after the password was reset by an administrator). 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893 HEX: 0x773 - user must reset password DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be changed before logging on the first time.) LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] - MUST_CHANGE_PASSWD 775 - account locked out Returned when a valid username is supplied, but the account is locked out. Note that this error will be returned regardless of whether or not the password is invalid. 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893 HEX: 0x775 - account locked out DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.) LDAP[userAccountControl: <bitmask=0x00000010>] - LOCKOUT
Thursday, December 12, 2019
Active Directory Authentication Error Codes
Subscribe to:
Posts (Atom)