Active Directory allows creating InitialContext with disabled account

Question

I have problem implementing proper authentication based on Active Directory (Windows Server 2008 R2) and Java.

The assumed flow is that when the account is disabled in AD (properties → Account → Account options → "Account is disabled" checkbox), I should get the following exception from AD when connecting using com.sun.jndi.ldap.LdapCtxFactory:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 533, v1db1

This 533 tells me that the account is locked/disabled. And it works fine - at least in my dev environment. Enabling/disabling an account immediately changes the authentication result.

It doesn't however work in production environment at customer's machine... I can successfully create an InitialContext (no 533) but the search operation a moment after this successful bind ends with error that I don't have necessary authorization to perform lookup.

What to look for in Active Directory configuration? I don't have any pooling and any AD replication...

[EDIT]: Wireshark dump

here's the request to bind to disabled account (only LDAP protocol decoded):

0000   30 50 02 01 01 60 4b 02 01 03 04 3c 43 4e 3d 67  0P...`K....<CN=g
0010   72 7a 65 67 6f 72 7a 20 67 72 7a 79 62 65 6b 2c  rzegorz grzybek,
0020   63 6e 3d 75 73 65 72 73 2c 64 63 3d xx xx xx xx  cn=users,dc=xxxx
0030   xx xx xx xx xx 2c 64 63 3d xx xx 2c 64 63 3d xx  xxxxx,dc=xx,dc=x
0040   xx xx 2c 64 63 3d 70 6c 80 08 xx xx xx xx xx xx  xx,dc=pl..xxxxxx
0050   xx xx                                            xx

and here's the response - ordinary resultCode: success (0):

0000   30 84 00 00 00 10 02 01 01 61 84 00 00 00 07 0a  0........a......
0010   01 00 04 00 04 00                                ......

a response to invalid password is:

0000   30 84 00 00 00 68 02 01 01 61 84 00 00 00 5f 0a  0....h...a...._.
0010   01 31 04 00 04 58 38 30 30 39 30 33 30 38 3a 20  .1...X80090308: 
0020   4c 64 61 70 45 72 72 3a 20 44 53 49 44 2d 30 43  LdapErr: DSID-0C
0030   30 39 30 33 41 39 2c 20 63 6f 6d 6d 65 6e 74 3a  0903A9, comment:
0040   20 41 63 63 65 70 74 53 65 63 75 72 69 74 79 43   AcceptSecurityC
0050   6f 6e 74 65 78 74 20 65 72 72 6f 72 2c 20 64 61  ontext error, da
0060   74 61 20 35 32 65 2c 20 76 31 64 62 31 00        ta 52e, v1db1.

and sending correct password after the change, immediately results in successful binding.

By the way - using LDAPS (port 636) doesn't change anything - I can still bind to disabled account.

EDIT: Problem recreated on virtual server

I've enabled detailed logging of LDAP/AD events and that's what I got:

For disabled account, LDAP bind with incorrect to Active Directory results in single event:

An account failed to log on.

Subject:
    Security ID:        SYSTEM
    Account Name:       CENTRALA$
    Account Domain:     XXX
    Logon ID:       0x3e7

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       MY_ACTUAL_DOMAIN_NAME_OF_BLOCKED_USER
    Account Domain:     XXX

For disabled account, LDAP bind with correct to Active Directory results in these event:

1:

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  Guest
Source Workstation: CENTRALA
Error Code: 0x0

2:

An account was successfully logged on.

Subject:
    Security ID:        SYSTEM
    Account Name:       CENTRALA$
    Account Domain:     MS
    Logon ID:       0x3e7

Logon Type:         3

New Logon:
    Security ID:        MS\Guest
    Account Name:       Guest
    Account Domain:     MS
    Logon ID:       0x38cd57
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Is it possible, that correct login to disabled account over LDAP result in login into Guest account??

Answer 1

Finally I got the solution!

The problem was ... enabled Guest account.

AD/LDAP bind to enabled or disabled account with incorrect password results in the following event:

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

AD/LDAP bind to disabled account with correct password results in the following events:

1.

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  Guest
Source Workstation: CENTRALA
Error Code: 0x0

2.

...
Account Whose Credentials Were Used:
    Account Name:       Guest
    Account Domain:     MS
    Logon GUID:     {00000000-0000-0000-0000-000000000000}
...

3.

...
Logon Type:         3

New Logon:
    Security ID:        MS\Guest
    Account Name:       Guest
    Account Domain:     MS
    Logon ID:       0x3ad7cf
    Logon GUID:     {00000000-0000-0000-0000-000000000000}
...

4.

An account was logged off.

Subject:
    Security ID:        MS\Guest
    Account Name:       Guest
    Account Domain:     MS
    Logon ID:       0x3ad7cf

After disabling Guest account, AD/LDAP bind to disabled account with correct password results in the following event:

Failure Information:
    Failure Reason:     Account currently disabled.
    Status:         0xc000006e
    Sub Status:     0xc0000072

Isn't it strange? Isn't it a bug in AD/LDAP?