LDAP error codes

A few days ago, I had to troubleshoot strange authentication issues. The context was the following:

• A Fortigate firewall offering SSL Vpn remote access;
• This Vpn access configured using Active Directory authentication, which means that user has to authenticate using his AD username/password.

In this context, the Fortigate is itself configured to query Domain controllers using LDAPS, while authenticating itself to AD with a dedicated service user account.

The issue was that users would randomly be unable to log on, and the Vpn client would return a quite unclear error : “User is probably not configured correctly for this connection”.

So I enabled debugging on the Fortigate, and saw that the authentication daemon would itself return a quite unclear error:

INVALID_CREDENTIALS: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 775

Wow, what could I do with that… ? Fortunately, some searching helped me, and I came across this excellent wiki page. So, error 775 meant “Account locked out”…

…But the user trying to logon was NOT locked out, at all ! Some more searching into the Domain controller event logs, and I realised that the locked out account was the service account performing the LDAPS query. Since that Active Directory was configured to lock out accounts for five minutes after five errors… It explained why the inability to logon was random.

Then the Domain controller logs showed me WHO was locking the account. It was another firewall in the same network, configured as well for LDAPS lookup, but somehow using a wrong password for the account. I corrected its configuration, and suddenly everything worked much better !