Share via

Unable to bind or log into LDAP using specific credentials

Nick@519 31 Reputation points
2020-11-03T15:03:36.657+00:00

So this is happening with very specific user accounts. Most user accounts have no problems, but a handful are failing. Using LDP to bind, i'm getting this error: 

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='firstname.lastname'; Pwd=<unavailable>; domain = 'domainname.local'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090588, comment: AcceptSecurityContext error, data 569, v2580
Error 0x8009030C The logon attempt failed

I am absolutely certain that the credentials are correct, because this is happening with my domain account. I can log into my Windows systems with no problems, including the DCs. But logging into LDAP, it fails.

I believe this is the important detail of the error: 

Server error: 8009030C: LdapErr: DSID-0C090588, comment: AcceptSecurityContext error, data 569, v2580

This lists the errors https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

But there isn't an entry for 569...

This actually first occurred this afternoon with the built-in domain Administrator account. Our VPN services were failing because the LDAP bind utilized the built-in domain Administrator account. After spending an hour attempting to resolve it without success, i simply created an ldap user account to use with LDAP. Now a few hours later, the same issue is happening with my own domain account. What is happening here?

Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server User experience Other
Accepted answer
  1. Anonymous
    2020-11-06T05:57:24.127+00:00

    Hello @Nick@519 ,

    Thank you for your update and sharing.

    I am so glad that the problem was resolved.

    As the question: is there a way to see who exactly made the change?

    I have done a test in my lab and it worked.

    If we want to check who exactly made the change on this machine (not all machines in the domain).

    We can configure the following audit policy through local group policy on this machine(or maybe you have already configured it as mentioned).

    1.Type gpedit.msc on Start search bar and click Enter.
    2.Navigate to Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration\System Audit Policies- Local Group Policy Object\Policy Change\Audit Authentication Policy Change==> Success and Failure.
    37796-au1.png

    3.Run gpupdate /force or restart the machine to refresh the GPO setting.

    4.If I add a user or group Deny access to this computer from the network under Local Group Policy Editor > Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Users Rights Assignments.

    I will see event ID 4717 as below (I added user account user15s using A\administrator).
    37878-au2.png

    5.4.If I removed a user or group Deny access to this computer from the network under Local Group Policy Editor > Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Users Rights Assignments.

    I will see event ID 4718 as below(I removed user account user15s using A\administrator)..
    37956-au3.png

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nick@519 31 Reputation points
    2020-11-06T01:22:33.137+00:00

    When i try to RDP into the DC using the built-in domain Administrator account, i'm getting this error:
    The system administrator has restricted the types of logon (network or interactive) that you may use. For assistance, contact your system administrator or technical support.

    These are all the groups the Administrator account belongs to: 

    name                                                                                                                   
----                                                                                                                   
Domain Users                                                                                                           
Exchange Organization Administrators                                                                                   
Performance Monitor Users                                                                                              
Administrators                                                                                                         
Enterprise Admins                                                                                                      
Domain Admins                                                                                                          
Schema Admins                                                                                                          
Group Policy Creator Owners                                                                                            
fax                                                                                                                    
Event Log Readers                                                                                                      
vmWareAdmin                                                                                                            
Veeam Repository
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.