cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP Auth Failure and Logon Workstations restriction

SOLVED
Contributor

LDAP Auth Failure and Logon Workstations restriction

A few weeks ago I switched our authentication method from AD to LDAP and everything for the most part has been working without any issues. Today a user tried signing-in and was denied access because of an unexpected AD error code. The complete error reads as follows.

Bind failed to user DN "CN=XXX,OU=XXX,OU=XXX,DC=test,DC=net" AD code=1329: Unexpected AD error code

After looking into error code 1329, I found that it's related to the Logon Workstations restriction. This particular user is only allowed to logon to a few machines. My question is why is LDAP treated differently than AD auth? Is this expected behavior or is this a problem between the IVE and domain controllers? If I remove the logon workstations restrictions, then the LDAP auth works just fine. Is the AD auth doing something different that allows the login as opposed to LDAP? I don't want to add the domain controllers to the list of workstations that this user can logon to.

Any suggestions?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Regular Contributor

Re: LDAP Taut Failure and Logon Workstations restriction

When you use AD the SA uses api's through which it can pass the hostname (its own name) to the AD server. However when you use LDAP there is no LDAP defined attribute that can be sent along with the credentials that identifies which host the user is logging in from. I guess that is why the user is not able to login with the workstation restrictions. I can't think of any workarounds with ldap and this restriction.

View solution in original post

4 REPLIES 4
Highlighted
Regular Contributor

Re: LDAP Taut Failure and Logon Workstations restriction

When you use AD the SA uses api's through which it can pass the hostname (its own name) to the AD server. However when you use LDAP there is no LDAP defined attribute that can be sent along with the credentials that identifies which host the user is logging in from. I guess that is why the user is not able to login with the workstation restrictions. I can't think of any workarounds with ldap and this restriction.

View solution in original post

Highlighted
Contributor

Re: LDAP Taut Failure and Logon Workstations restriction

Thanks for the information. I guess I'll be using AD auth for this realm because of the logon workstation restrictions. Thanks again!

Highlighted
Super Contributor

Re: LDAP Taut Failure and Logon Workstations restriction

Could you not add the sslvpn host as one that the user is allowed to log in from?
Highlighted
Contributor

Re: LDAP Taut Failure and Logon Workstations restriction

I had the same thought but when I tried that it didn't work. The only way to make it work was to add the domain controllers to the list of allowed logon workstations.