Recently I came across an SSRPM Client in the military business who was getting Error 1329 when trying to enroll accounts over the website. SSRPM of course is the Self Service Reset Password Management – Tools4ever‘s take on the “what’s your mother’s maiden name” type of authentication.
Log On To
The investigation and resolution of this brought me to a rather cool feature of Active Directory I have never worked with before – restricting which computers a user is allowed to log on to, as a property of the actual user account:
Investigation
Any non-negative SSRPM error codes are simply error codes of the underlying systems (i.e. Active Directory) that are bubbled up through the error message.
A little bit of Googling on the error code reveals:
- 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
- HEX: 0×531 – not permitted to logon from this workstation
- DEC: 1329 – ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
- LDAP[userWorkstations: <multivalued list of workstation names>]
- NOTE: Returns only when presented with valid username and password/credential.
Conclusion
Long story short, some years ago they utilized this Log On To feature of AD to really lock down the system and since then have stopped, but the settings remained on many AD accounts. As a result, certain users would be running into this error when the SSRPM server was not in the list of computers they were allowed to login to. Fix is easy: either map the SSRPM server out explicitly in the Log On To list, or don’t utilize the Log On To feature.
BetterIDM 