LDAP bind failed due to Invalid credentials with 'AcceptSecurityContext error, data 533'

LDAP bind failed due to Invalid credentials with 'AcceptSecurityContext error, data 533'

11345
Created On 06/05/23 02:51 AM - Last Modified 09/22/23 21:26 PM


Symptom


  • GlobalProtect Users cannot be authenticated by LDAP authentication Server.
  • Similarly, Captive portal or WebUI authentication will also fail to authenticate with LDAP.
  • System log (show log system), show the authentication failure due to 'DNS failure or remote server down.'
failed authentication for user 'xxxx'. Reason: Internal error, e.g. network connection, DNS failure or remote server down. auth profile 'Auth-test-LDAP', vsys 'vsys1', server profile 'LDAP-profile', server address 'y.y.y.y', From: z.z.z.z.
  • From authd.log (less mp-log authd.log), the bind request failed due to 'AcceptSecurityContext error, data 533'
bind failed (extracted from parsed bind result) (code: 49) (string: Invalid credentials) (additional info: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 533, v3839)

Environment


  • Palo Alto Firewalls 
  • Prisma Access
  • Supported PAN-OS
  • Authentication
  • LDAP

Cause


The Active Directory Error code 533 indicates that a valid username and password/credential are supplied, but the account has been disabled.

Resolution


  1. Confirm the account configured under bind DN (GUI: Device > Server Profiles > LDAP > ServerSettings > Bind DN) is enabled on the AD Server.
  2. If the account is disabled, Enable the account configured in the AD (Active Directory) Server.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bptRCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail