HEX: 0x531 - not permitted to logon from this workstation **
DEC: 1329 - ERROR_INVALID_WORKSTATION** (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: ]
NOTE: Returns only when presented with valid username and password/credential.
How can i may allow this users to login to Openfire without adding Domain Controller to their LogOn profiles?
You are restricting authentication on your AD setup to certain machines for certain users. If you do this LDAP autentication won’t work without the users being allowed to authenticate from the LDAP server(s), and possibly the chat server.
Caught a naming exception when creating InitialContext
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece
HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: ] NOTE: Returns only when presented with valid username and password/credential.
As i know - “Log On to” option in AD - applies only to interactive logon to workstation.
If the log on to configurations are used openfire cannot authenticate users unless they are given log on rights to the servers. This may be a bug in openfire or it may be a bug in the way AD handles LDAP authentication. I do know it is related to the log on to settings in AD though. take those away and authentication works fine. Unless your servers are physically exposed for logon at the server directly this setting is redundant security. Domain usrs cannot RDP to a server unless it is a terminal services server. you can go further and disable RDP via a profile setting. Local workstations are protected because AD user account profiles are only accessable by domain admins and the user account that created it.