2

I am writing some Java code that authenticates to Active Directory using SASL GSSAPI. Mostly this code is working fine but for one user I am getting the response:

javax.naming.AuthenticationException: [LDAP: error code 49 - 8
0090304: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 568,
v1772 ]

I know that 49 means this is an authentication failure, and that the relevant sub code is 568, but I am only aware of the following meanings for that data:

  • 525 - user not found
  • 52e - invalid credentials
  • 530 - not permitted to logon at this time
  • 532 - password expired
  • 533 - account disabled
  • 701 - account expired
  • 773 - user must reset password

So far I am unable to find an authorative source of these error codes from Microsoft (this list is pieced together from forum posts) and I can't find anything for that 568 error.

Does anyone know what it means?

EDIT: It looks like the source of this list comes from this documentation from IBM

Dean Povey
  • 9,256
  • 1
  • 41
  • 52

1 Answers1

6

This and this list contain error codes that seem to correspond to the above numbers, viz.

  • ERROR_NO_SUCH_USER 1317 (0x525) The specified account does not exist.
  • ERROR_LOGON_FAILURE 1326 (0x52E) Logon failure: unknown user name or bad password.
  • ERROR_INVALID_LOGON_HOURS 1328 (0x530) Logon failure: account logon time restriction violation.
  • ERROR_PASSWORD_EXPIRED 1330 (0x532) Logon failure: the specified account password has expired.
  • ERROR_ACCOUNT_DISABLED 1331 (0x533) Logon failure: account currently disabled.
  • ERROR_ACCOUNT_EXPIRED 1793 (0x701) The user's account has expired.
  • ERROR_PASSWORD_MUST_CHANGE 1907 (0x773) The user's password must be changed before logging on the first time.

From this list it appears that this error code means:

ERROR_TOO_MANY_CONTEXT_IDS 1384 (0x568) During a logon attempt, the user's security context accumulated too many security IDs.

It turns out that this account has 2000 group memberships which are overrunning an internal Active Directory limit. You may only have 1015 or so group memberships otherwise login will fail.

More information is available on this error at: http://go.microsoft.com/fwlink/?LinkId=146571.

Dean Povey
  • 9,256
  • 1
  • 41
  • 52
  • 1
    Cool! That is a new one for my collection! Updated my article at: http://www.novell.com/communities/node/1424/sub-error-codes-ldap-error-49 – geoffc Apr 20 '10 at 10:43
  • We recently decided to implement Role Based Access Controls to our systems and as the dev I ended up in 1186 AD groups. None of our support people could work why I couldn't login to our VPN and I had my password changed 3 times in a day! I used `ldapsearch` in WSL to debug it using my account as the bind user. The login error reported `ldap_bind: Invalid credentials` and has a data field that output's these codes. Thanks for this answer! – Martin Jun 28 '23 at 09:25