Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1896
Views
0
Helpful
3
Replies

LDAP fails with error 49 invalid credentials but integration key and key have been verified

fengsu
Level 1
Level 1

‎01-19-2022 01:12 AM

Hi teams

I meet the issue same with below:

Even use simple username test, it still failed.
is anyone has experienced this issue.

[-2147483559] Session Start
[-2147483559] New request Session, context 0x00007f62b1c44838, reqType = Authentication
[-2147483559] Fiber started
[-2147483559] Creating LDAP context with uri=ldaps://n.n.n.n:636
[-2147483559] Connect to LDAP server: ldaps://n.n.n.n:636, status = Successful
[-2147483559] While getting rootDSE, LDAP server n.n.n.n returned code (53) Server is unwilling to perform
[-2147483559] This LDAP server does not support V3 protocol.
[-2147483559] Binding as ***
[-2147483559] Performing Simple authentication for *** to n.n.n.n
[-2147483559] Simple authentication for *** returned code (49) Invalid credentials
[-2147483559] Failed to bind as administrator returned code (-1) Can’t contact LDAP server
[-2147483559] Fiber exit Tx=224 bytes Rx=51 bytes, status=-2
[-2147483559] Session End

Thanks,
Saul

Labels:
0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎01-19-2022 10:07 AM

If this is the Cisco ASA direct connect to Duo via LDAPS configuration, where Duo performs secondary auth only, the password is the name of a Duo authentication factor (like push), not the actual user password from the identity store.

The user has to actually have a valid 2FA device of the type you specify as well. So if you type push the user must exist in Duo with a phone or tabled activated for Duo Mobile Push.

Duo, not DUO.
0 Helpful

fengsu
Level 1
Level 1
In response to DuoKristina

‎01-19-2022 05:36 PM

Hi thank you for your reply.
i have use the correct username and push to do the test.
but is still failed.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎01-20-2022 06:26 AM

Thanks for testing again and the screenshots. I edited your post to remove the images because they contained identifying info unique to your organization and Duo account.

Does that user’s device show it is activated for Duo Push in the Admin Panel?

2X_6_6ac21dd0c1c530b2c303784c0fdb8c4a19c11b51.png

What if you create a bypass code for the user, and then do the ASA test with that bypass code as the password?

The failure message indicated that the Duo API host LDAP server would be removed. Might be worth going back into the AAA settings to make sure it’s still active before trying again. Also double-check the credentials used for the Duo LDAP AAA server (the login DN that incorporates your integration key, and the login password which is the secret key).

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents