FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ycho
Staff
Staff
Article Id 197775

Description


This article describes what debug log means when ‘fnbamd_ldap_parse_response-Error 49’ is checked and what is the solution to fix it.

When the client accesses the LDAP Server via FortiGate , the error messages captured by FortiGate is showing as below, and cannot access to it normally.

 

fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563)

 

Scope

 

FortiGate.


Solution


In fnbamd debug logs, The error message is founded when tried to log on via the LDAP server.

 

[584] fnbamd_ldap_build_dn_search_req-base:'DC=itwea,dc=com' filter:sAMAccountName=xxxxx
[1100] __fnbamd_ldap_dn_entry-Get DN 'CN=XXX,CN=XXX,DC=XXX,DC=com'
[90] ldap_dn_list_add-added CN=XXX,CN=XXX,DC=XXX,DC=com
[52] ldap_dn_list_del_all-Del CN=XXX,CN=XXX,DC=XXX,DC=com
[2821] fnbamd_ldap_result-Result for ldap svr XXX.XXX.XXX.XXX is SUCCESS

[1552] fnbamd_ldap_init-search filter is: sAMAccountName=XXX
[1561] fnbamd_ldap_init-search base is: DC=XXX,dc=com
[584] fnbamd_ldap_build_dn_search_req-base:'DC=XXX,dc=com' filter:sAMAccountName=XXX
[1100] __fnbamd_ldap_dn_entry-Get DN 'CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com'
[90] ldap_dn_list_add-added CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com
[429] fnbamd_ldap_build_userbind_req-Trying DN ' CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com '
[196] __ldap_build_bind_req-Binding to ' CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com'
[852] fnbamd_ldap_send-sending 123 bytes to XXX.XXX.XXX.XXX
[864] fnbamd_ldap_send-Request is sent. ID 3
[815] __ldap_rxtx-state 6(User Bind resp)
[895] __fnbamd_ldap_read-Read 8
[895] __fnbamd_ldap_read-Read 102
[1075] fnbamd_ldap_recv-Response len: 104, svr: XXX.XXX.XXX.XXX
[756] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[778] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563)
[791] fnbamd_ldap_parse_response-ret=49
[882] __ldap_rxtx-Change state to 'User Binding'
[815] __ldap_rxtx-state 5(User Binding)
[425] fnbamd_ldap_build_userbind_req-No more DN left
[737] __ldap_error-
[726] __ldap_stop-svr 'ad_server'
[52] ldap_dn_list_del_all-Del CN=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 1824141631
[653] destroy_auth_session-delete session 1824141631

'Fnbamd_ldap_parse_response-error 49” means Invaild credentials (49)'

 

LDAP Error Codes, LDAP Error Codes is an Result Code indicating something went wrong.
There are really LDAP Result Codes and a lot of them well Indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid.

This is the AD equivalent of LDAP error code 49. 49 / 525

In summary, the error is not a problem with FortiGate, but an error message that occurred because the user’s account information registered in LDAP was incorrect.

Here's a brief summary of other error code and its meaning:

  1. 525 - User not found: This error is returned when an invalid username is provided, indicating that the specified user does not exist in the LDAP directory.

  2. 52e - Invalid credentials: It signifies that a valid username is provided, but the supplied password or credential is incorrect. This error typically prevents other errors from being displayed because authentication cannot proceed without valid credentials.

  3. 530 - Not permitted to logon at this time: This error is returned when a valid username and password are supplied during periods when login is restricted. There may be time-based access restrictions in place.

  4. 531 - Not permitted to logon from this workstation: It's returned when a valid username and password are provided, but the user is restricted from using the workstation from which the login attempt was made. Workstation-based access restrictions are in effect.

  5. 532 - Password expired: This error occurs when a valid username is supplied, and the provided password is correct but has expired. The user is required to change their password.

  6. 533 - Account disabled: Returned when a valid username and password are provided, but the user's account has been disabled. Authentication is prevented due to the disabled status of the account.

  7. 701 - Account expired: This error is returned when a valid username and password are supplied, but the user's account has expired, preventing successful authentication.

  8. 773 - User must reset password: If a valid username and password are supplied, this error indicates that the user is required to reset their password immediately before logging in for the first time or after an administrator has reset the password.

  9. 775 - Account locked out: This error is returned when a valid username is supplied, but the user's account is locked out due to too many failed login attempts. It's important to note that this error is returned even if the password provided is valid.

These error codes provide specific information about the status of user accounts and authentication attempts in LDAP-based systems, making it easier for administrators to diagnose and resolve authentication-related issues.


Reference.
+ Account Information Confirmation Commands.

 

#dsquery user -name [admin full user name]
#dsquery user -samid [admin login name]
#check the admin password
# diagnose test authserver ldap [server name][user][password]