Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Auth Failure and Logon Workstations restriction

SOLVED
Go to solution
DHayes_
Contributor
‎03-29-2011 03:25:PM
‎03-29-2011 03:25:PM

LDAP Auth Failure and Logon Workstations restriction

A few weeks ago I switched our authentication method from AD to LDAP and everything for the most part has been working without any issues. Today a user tried signing-in and was denied access because of an unexpected AD error code. The complete error reads as follows.

Bind failed to user DN "CN=XXX,OU=XXX,OU=XXX,DC=test,DC=net" AD code=1329: Unexpected AD error code

After looking into error code 1329, I found that it's related to the Logon Workstations restriction. This particular user is only allowed to logon to a few machines. My question is why is LDAP treated differently than AD auth? Is this expected behavior or is this a problem between the IVE and domain controllers? If I remove the logon workstations restrictions, then the LDAP auth works just fine. Is the AD auth doing something different that allows the login as opposed to LDAP? I don't want to add the domain controllers to the list of workstations that this user can logon to.

Any suggestions?

Thanks!

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
ruc_
Regular Contributor
‎04-03-2011 10:45:PM
‎04-03-2011 10:45:PM

Re: LDAP Taut Failure and Logon Workstations restriction

When you use AD the SA uses api's through which it can pass the hostname (its own name) to the AD server. However when you use LDAP there is no LDAP defined attribute that can be sent along with the credentials that identifies which host the user is logging in from. I guess that is why the user is not able to login with the workstation restrictions. I can't think of any workarounds with ldap and this restriction.

View solution in original post

0 Kudos
4 REPLIES 4
ruc_
Regular Contributor
‎04-03-2011 10:45:PM
‎04-03-2011 10:45:PM

Re: LDAP Taut Failure and Logon Workstations restriction

When you use AD the SA uses api's through which it can pass the hostname (its own name) to the AD server. However when you use LDAP there is no LDAP defined attribute that can be sent along with the credentials that identifies which host the user is logging in from. I guess that is why the user is not able to login with the workstation restrictions. I can't think of any workarounds with ldap and this restriction.

0 Kudos
DHayes_
Contributor
‎04-04-2011 06:28:AM
‎04-04-2011 06:28:AM

Re: LDAP Taut Failure and Logon Workstations restriction

Thanks for the information. I guess I'll be using AD auth for this realm because of the logon workstation restrictions. Thanks again!

0 Kudos
stine_
Super Contributor
‎04-10-2011 02:58:PM
‎04-10-2011 02:58:PM

Re: LDAP Taut Failure and Logon Workstations restriction

Could you not add the sslvpn host as one that the user is allowed to log in from?
0 Kudos
DHayes_
Contributor
‎04-11-2011 05:54:AM
‎04-11-2011 05:54:AM

Re: LDAP Taut Failure and Logon Workstations restriction

I had the same thought but when I tried that it didn't work. The only way to make it work was to add the domain controllers to the list of allowed logon workstations.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.