Spectrum LDAP integration authentication failure with RESTRICTED_TO_SPECIFIC_MACHINES error

Document ID : KB000045590
Last Modified Date : 14/02/2018
Show Technical Document Details

Symptoms: 

Spectrum is integrated with LDAP or Microsoft Active Directory server but authentication failed for certain users although user and password have been keyed in correctly. I have accessed OneClick Web Admin page using available account, gone to Administration -> Debugging -> Web Server Debug Page (Runtime) and turned ON "SSORB Security SP" debug item, reproduced the problem and seen the following error in Tomcat log.

 Error binding: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 531, v1772 ]; remaining name ''

Environment:  

Any Spectrum versions on any OS platforms

Cause:

"Log On To" restriction is applied to the user account so the user cannot logon to the OneClick Server machine.

Resolution/Workaround: 

The LDAP error has error 49 and data code 531 which means

RESTRICTED_TO_SPECIFIC_MACHINES
Indicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.  

The error happened when the user account has "Log On To" restriction and the user is restricted to log on to the OneClick Server. Please check with the Administrator of Active Directory and make sure the user does not have that restriction to avoid this issue.