Why do you need to include the AD server in "userWorkstations"?

StackOverflow https://stackoverflow.com/questions/22140697

  •  19-10-2022
  •  | 
  •  

Question

While connecting a Java application to an AD server, I got the below error:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1]

I understand that the error code 531 means not permitted to logon at this workstation​.

However, I checked the Log on to attribute on the AD server for that particular user and it had the IP of the workstation I was trying to login from.

I checked the below question and included the IP of the AD server as well in the log on to field and I am able to login now.

Can't get connection with AD from Java code

My question is, why does the IP/name of the AD server or domain controller have to be included for this to work?

Thanks

Was it helpful?

Solution

Whether or not you have to add DCs to an account's "Log on to..." restriction, is entirely 100% dependent on the app that will be using it and whether or not that particular app sends the source workstation name in the logon request or if it just sends the IP without a workstation name. If it sends the just the IP, then the source workstation field gets populated with the DC's name, which is why the DC's have to be added to the "Log on to..." restriction. This is most commonly encountered with non-Windows appliances/systems, like NetScalers for example.

Below is an example Security event ID 4625 for a logon attempt from a netscaler appliance using an account that did not have the DCs added to it's "Log On To..." restriction's list of accounts:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/27/2014 9:22:36 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      AD01.mydomain.com
Description:
An account failed to log on.

Subject:
        Security ID:              SYSTEM
        Account Name:             AD01$
        Account Domain:           MYDOMAIN
        Logon ID:                 0x3e7

Logon Type:                       3

Account For Which Logon Failed:
        Security ID:              NULL SID
        Account Name:             netscalersvc
        Account Domain:           MYDOMAIN

Failure Information:
        Failure Reason:           User not allowed to logon at this computer.
        Status:                   0xc000006e
        Sub Status:               0xc0000070

Process Information:
        Caller Process ID:        0x260
        Caller Process Name:      C:\Windows\System32\lsass.exe

Network Information:
        Workstation Name:         AD01
        Source Network Address:   192.168.5.5  <- NetScaler's IP, not AD01's IP
        Source Port:              64015

Detailed Authentication Information:
        Logon Process:            Advapi  
        Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Transited Services:       -
        Package Name (NTLM only): -
        Key Length:               0
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top