1

I am trying to bind a user in php through ldap_bind() but getting Invalid Crednetials error.

"LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1"

username and password is good and able to login to other applications (Windows system or sharePoint) with it.

it is failing when I pass the username parameter as 'account@compnay.com', but it works with 'domain\account' or with complete DN like CN="", OU="" etc. This behaviour is only for one user so it may not be a good idea to change the code ot make it work. Any suggestions how to trace and find where the issue is.

I have compared the user's exchange properties with other working user but we could not find any difference. We tried to rename the user's principlename property and it worked but when we revert then issue was same.

Jeff Puckett
  • 37,464
  • 17
  • 118
  • 167
Venki
  • 11
  • 3
  • have you tried setting OPT_REFERRALS like in this question http://stackoverflow.com/questions/140439/authenticating-against-active-directory-using-python-ldap?rq=1? – R A Oct 10 '16 at 13:43
  • You should not be checking anything in Exchange for this. When you login using the form `username@domain.com` you are using their UPN. To check that it is valid for this user you should open AD Users and Computers, find their account, go to the account tab, and look at the very top entry under "User Logon Name". Another way to check would be to attempt to login to a workstation with the `username@domain.com` with the account in question, you should get the same behavior. – ChadSikorra Oct 10 '16 at 14:10
  • Hi Chad- Thanks for your quick response. – Venki Oct 10 '16 at 14:43
  • Hi Chad- Thanks for your quick response. 1) I have tried opt_referrals but do not see any change. 2) checked user's logon name in AD, it display correctly. user logon name= ''account" and suffix is "domain.com". 3) tried to login to the dev workstation with the same way account@domain.com, it works. – Venki Oct 10 '16 at 14:52
  • @Venki What does your full connect/bind code look like? – ChadSikorra Oct 10 '16 at 15:42
  • $this->_conn = ldap_connect("ldaps://@domann.com", Port#); //Tried with specific domain controller with IP address, issue is same. $username="account"; $account_suffix="@domain.com";\ $password="password"; $this->_bind = @ldap_bind($this->_conn,$username.$account_suffix,$password); – Venki Oct 10 '16 at 16:26
  • @ChadSikorra '$this->_conn = ldap_connect("ldaps://@domann.com", Port#); //Tried with specific domain controller with IP address, issue is same. $username="account"; $account_suffix="@domain.com";\ $password="password"; $this->_bind = @ldap_bind($this->_conn,$username.$account_suffix,$password)‌​;' – Venki Oct 10 '16 at 17:27

0 Answers0