Project

General

Profile

Actions

Defect #20699

open

ldap error - not permitted to logon at this workstation

Added by Alexander Ryabinovskiy over 9 years ago. Updated about 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
LDAP
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

I configured "LDAP authentication" for our Active Directory.
On Windows 2003 server x68 and Windows 2012 server x64 login attempts ends with the error (logged using WireShark):

LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece)

which means "not permitted to logon at this workstation". The solution is to add AD server to "userWorkstations" list of each domain user, and it works. But it is a bad solution and our administrators does not accept this.
This behavior was commented a year ago:
#1913#note-29


Files

redmine_auth_source_ldap_531fix.diff (1.12 KB) redmine_auth_source_ldap_531fix.diff Alexander Ryabinovskiy, 2017-12-13 12:15
Actions #1

Updated by Toshi MARUYAMA about 9 years ago

  • Description updated (diff)
Actions #2

Updated by xuezhi li over 7 years ago

I had the same problem with you. Have you solved this problem without adding AD server to "userWorkstations" list of each domain user?

Actions #3

Updated by Alexander Ryabinovskiy about 7 years ago

xuezhi li wrote:

I had the same problem with you. Have you solved this problem without adding AD server to "userWorkstations" list of each domain user?

No, currently I`m using solution with Apache + sspi mod :(
http://www.redmine.org/boards/2/topics/127?page=2

Actions #4

Updated by Alexander Ryabinovskiy about 7 years ago

I used this patch for auth_source_ldap to enable ldap authentification in my situation.
The idea is based on this description of "error 531" and confirmed with my tests:

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893 
HEX: 0x531 - not permitted to logon from this workstation 
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.) 
LDAP[userWorkstations: <multivalued list of workstation names>] 
NOTE: Returns only when presented with valid username and password/credential. 

So, if this error was returned - username / password are ok, and I return "true" as a authenticate_dn result.
I understand that searching in error text is not very good solution, but I don`t have any other, and it works.

Actions

Also available in: Atom PDF