AD authentication failing for one account

[KenVM]

We have ~ 400 accounts in Zimbra that all authenticate against Active Directory.

1 new account is unable to authenticate. I can use the AD auth to log into another service (terminal server) but it won't connect to Zimbra. Keeps giving a bad username/password message.

The only message I can find is from audit.log:

2008-06-23 10:21:17,275 WARN [http-443-Processor34] [ip=<SNIPPED>;ua=ZimbraWebClient - FF3.0 (Win)/undefined;] security - cmd=Auth; account=ACCOUNTNAME; protocol=soap; error=authentication failed for ACCOUNTNAME;

I've checked all the settings in Zimbra and Active Directory and I've recreated the account in Zimbra. Recreating the account in Active Directory isn't an option.

I did find a bug report: Bug 16933 &ndash; AD Authentication Not working for some users

Which sounds like the same problem I'm having, but I can't find a solution anywhere.

Any suggestions on fixing this or troubleshooting it further?

Our version is: Release 4.5.6_GA_1024.RHEL4_20070627170556 RHEL4 NETWORK edition

Thanks!

[KenVM]

Just had a second account this morning that stopped working. Nothing has changed on the account since it was working, except possibly a password reset.

I've tried resetting the password in AD and changing the Zimbra password to match in case it was somehow falling through.

This account I was able to delete and re-create, which does seem to have fixed the problem. Unfortunately, I can't do that with the other account that I'm having a problem with.

No one has run into similar problems?

[bdial]

i dont kknow much about windows but is there something you can use to see whats happening on the AD side? Like with openldap you can turn the log level up to print out more debugging info than you could ever want, or like in novell using dstrace.

[KenVM]

I'm not familiar with anything on the AD side that would help. I was hoping someone here would have some pointers.

[phoenix]

In the bug report you mention above there are a couple of comments that ask for information (specifically 8 & 9). Can you do an ldapsearch from the zimbra server using one of the failing account credentials, does it return any valid results or do you get a failure? Does the information that's asked for in comment 9 exist in the failing account?

As you're on 4.5.6, is there any possibility that you will upgrade to the most recent Zimbra release any time soon?

If you are hitting this bug then you'll need to open a support case and refer to that bug report, you're likely to get the upgrade suggestion first.

PS Which version of AD are you actually authenticating against?

[KenVM]

Turns out there was a difference in the account.

The problem account was limited to what servers it could log in to. Once I removed this limitation the logins worked fine.

Does anyone know what entry I would have to put in to the allow list so that I could limit logins but still allow access to zimbra mail? I've tried the obvious ones (name of server, zimbra) but no dice.

Thanks,

-Ken