Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4945
Views
1
Helpful
2
Replies

LDAP fails with error 49 invalid credentials but integration key and key have been verified

Go to solution
mbrowneminence
Level 1
Level 1

‎01-13-2017 10:31 AM

Hello all,

I’ve created a AAA group in a Cisco ASA, and have double-verified that I’ve assigned the proper integration key and security key where needed. However, I am receiving a generic LDAP error 49: Invalid credentials, in the debug output of debug ldap 255 on the ASA.

Here is the debug output when attempting to authenticate with the AAA profile:

OURASA# debug ldap 255
debug ldap  enabled at level 255
OURASA# terminal monitor
OURASA#
[6786] Session Start
[6786] New request Session, context 0xafe22d24, reqType = Authentication
[6786] Fiber started
[6786] Creating LDAP context with uri=ldaps://IPofDuoLDAP:636
[6786] Connect to LDAP server: ldaps://IPofDuoLDAP:636, status = Successful
[6786] While getting rootDSE, LDAP server IPofDuoLDAP returned code (53) Server is unwilling to perform
[6786] This LDAP server does not support V3 protocol.
[6786] Binding as [The app's integration ID]
[6786] Performing Simple authentication for [The app's integration ID] to IPofDuoLDAP
[6786] Simple authentication for [The app's integration ID] returned code (49) Invalid credentials
[6786] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[6786] Fiber exit Tx=244 bytes Rx=51 bytes, status=-2
[6786] Session End

Note that because the ASA can’t effectively bind, I do not see any Authentication logs on the configured Duo application.

I have opened a support ticket, but are not satisfied with their turn around time and was wondering if anyone else has experienced this issue and if they can assist with a resolution.

Thanks,

Matt

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mbrowneminence
Level 1
Level 1
In response to Dooley

‎01-13-2017 11:27 AM

This is done after a call in to support.

Worth noting that the only thing I changed was shortened the username from user@domain.corp to user. We verified the AAA profile config and voila. It was good.

Thanks,

Matt

​​​​​

View solution in original post

2 Replies 2

Go to solution
Dooley
Level 3
Level 3

‎01-13-2017 11:17 AM

Hi Matt,

I’m working with our Support Team to get a response to you now.

Thanks,
Andrew

0 Helpful

Go to solution
mbrowneminence
Level 1
Level 1
In response to Dooley

‎01-13-2017 11:27 AM

This is done after a call in to support.

Worth noting that the only thing I changed was shortened the username from user@domain.corp to user. We verified the AAA profile config and voila. It was good.

Thanks,

Matt

​​​​​

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents