Defect #20699
open
ldap error - not permitted to logon at this workstation
Added by Alexander Ryabinovskiy about 9 years ago.
Updated almost 7 years ago.
Description
I configured "LDAP authentication" for our Active Directory.
On Windows 2003 server x68 and Windows 2012 server x64 login attempts ends with the error (logged using WireShark):
LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece)
which means "not permitted to logon at this workstation". The solution is to add AD server to "userWorkstations" list of each domain user, and it works. But it is a bad solution and our administrators does not accept this.
This behavior was commented a year ago:
#1913#note-29
Files
- Description updated (diff)
I had the same problem with you. Have you solved this problem without adding AD server to "userWorkstations" list of each domain user?
xuezhi li wrote:
I had the same problem with you. Have you solved this problem without adding AD server to "userWorkstations" list of each domain user?
No, currently I`m using solution with Apache + sspi mod :(
http://www.redmine.org/boards/2/topics/127?page=2
I used this patch for auth_source_ldap to enable ldap authentification in my situation.
The idea is based on this description of "error 531" and confirmed with my tests:
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.
So, if this error was returned - username / password are ok, and I return "true" as a authenticate_dn result.
I understand that searching in error text is not very good solution, but I don`t have any other, and it works.
Also available in: Atom
PDF
Updated by Toshi MARUYAMA 
Updated by 
Updated by