tags:

views:

225

answers:

1
Q: 

What does sub error code 568 mean for Ldap Error 49 with Active Directory

I am writing some Java code that authenticates to Active Directory using SASL GSSAPI. Mostly this code is working fine but for one user I am getting the response:

javax.naming.AuthenticationException: [LDAP: error code 49 - 8
0090304: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 568,
v1772 ]

I know that 49 means this is an authentication failure, and that the relevant sub code is 568, but I am only aware of the following meanings for that data:

  • 525 - user not found
  • 52e - invalid credentials
  • 530 - not permitted to logon at this time
  • 532 - password expired
  • 533 - account disabled
  • 701 - account expired
  • 773 - user must reset password

So far I am unable to find an authorative source of these error codes from Microsoft (this list is pieced together from forum posts) and I can't find anything for that 568 error.

Does anyone know what it means?

EDIT: It looks like the source of this list comes from this documentation from IBM

+2  A: 

This and this list contain error codes that seem to correspond to the above numbers, viz.

  • ERROR_NO_SUCH_USER 1317 (0x525) The specified account does not exist.
  • ERROR_LOGON_FAILURE 1326 (0x52E) Logon failure: unknown user name or bad password.
  • ERROR_INVALID_LOGON_HOURS 1328 (0x530) Logon failure: account logon time restriction violation.
  • ERROR_PASSWORD_EXPIRED 1330 (0x532) Logon failure: the specified account password has expired.
  • ERROR_ACCOUNT_DISABLED 1331 (0x533) Logon failure: account currently disabled.
  • ERROR_ACCOUNT_EXPIRED 1793 (0x701) The user's account has expired.
  • ERROR_PASSWORD_MUST_CHANGE 1907 (0x773) The user's password must be changed before logging on the first time.

From this list it appears that this error code means:

ERROR_TOO_MANY_CONTEXT_IDS 1384 (0x568) During a logon attempt, the user's security context accumulated too many security IDs.

It turns out that this account has 2000 group memberships which are overrunning an internal Active Directory limit. You may only have 1015 or so group memberships otherwise login will fail.

More information is available on this error at: http://go.microsoft.com/fwlink/?LinkId=146571.

Dean Povey  2010-04-20 02:28:21
Cool! That is a new one for my collection! Updated my article at: http://www.novell.com/communities/node/1424/sub-error-codes-ldap-error-49
geoffc  2010-04-20 10:43:08

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java