Active Directory Password Checkout - LDAP modify failed, error 53 (Server is unwilling to perform)

  • 7018092
  • 22-Sep-2016
  • 24-Aug-2018

Environment

NetIQ Privileged Account Manager
Microsoft Active Directory LDAP

Situation

Unable to check-in password with Microsoft Active Directory (AD) LDAP
Password Checkout for Active Directory Application over LDAP is not working
Using the checked-out password reports invalid credentials, account name / password
MyAccess reports Failed Check-in to user
The following appears in the Debug unifid.log when attempting check-in:
Warning, LDAP modify failed, error 53 (Server is unwilling to perform)
Error, LDAP modify failed - 182553

Resolution

Microsoft Active Directory (AD) may have requirements that are preventing the password change from taking place. This error means the destination LDAP server is not allowing this password change to go through. While there might several reasons for this error to be returned from the LDAP server, here are some common Microsoft Active Directory explanations / requirements:

  1. Microsoft AD may impose some strength requirements on the password. In order to conform to these requirements, a password policy must be created and assigned to the application account domain in the Enterprise Credential Vault. For more details about this process, please refer to documentation:
  2. Microsoft AD may only accept password changes over secure connections (SSL, ldap port 636). Verify the Active Directory Application Account Domain in the Enterprise Credential Vault has been configured to have SSL enabled and to use the correct port.
    Note: By default, LDAPS://connections use port 636 for SSL.

  3. Microsoft AD requires that the client must bind as a user with sufficient permissions to modify another user's password. In this case, the proxy credential provided to PAM in the AD LDAP Account Domain of the Enterprise Credential Vault must have sufficient permissions to modify another user's password. According to Microsoft, "the password is stored in the AD and LDS database on a user object in the unicodePwd attribute."

Cause

Microsoft Active Directory (AD) is denying the LDAP modify request because the request violates certain requirements / criteria determined by the Microsoft AD Domain Controller.

Additional Information

For more information from Microsoft on these certain restrictions, please refer to How to change a Windows Active Directory and LDS user password through LDAP.