---
title: Troubleshooting LDAP authentication
description: Troubleshoot any PingOne LDAP authentication issues.
component: pingone
page_id: pingone:integrations:p1_troubleshooting_ldap_authentication
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_troubleshooting_ldap_authentication.html
revdate: March 14, 2025
section_ids:
  users-receive-an-error-when-signing-on-or-changing-their-password: Users receive an error when signing on or changing their password
  im-getting-an-active-directory-password-modify-error: I'm getting an Active Directory password modify error
  how-do-i-know-if-a-user-has-entered-an-incorrect-username: How do I know if a user has entered an incorrect username?
  how-do-i-know-if-a-user-has-entered-an-incorrect-password: How do I know if a user has entered an incorrect password?
  my-ldap-gateway-user-migration-failed: My LDAP gateway user migration failed
---

# Troubleshooting LDAP authentication

Use the information in this section to troubleshoot any LDAP authentication issues.

## Users receive an error when signing on or changing their password

A user receives the following error message when signing on or trying to change their password:

```
A system error occurred when accessing your account for authentication. Contact your administrator.
```

If this error occurs, check for the following:

* Check if the user's account needs to be updated in the external Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
  \<p>An open, cross platform protocol used for interacting with directory services.\</p>
  \</div>)* directory server. If you have an LDAP gateway configured, ensure that it's configured properly.

* If **Update PingOne user attributes as users sign on** is enabled in the PingOne admin console, check the audit logs for any update failures.

## I'm getting an Active Directory password modify error

For LDAP gateway connections using Active Directory (AD), you might see password modify errors in your LDAP gateway client logs.

This error can appear as a failure to change a password using a service account in AD. The error appears as either of the following:

```
LDAP password change result requestId=be2f0fb3-a090-4bf5-ab9c-97a9e480f6e3,
resultCode=19 (constraint violation), resultDetails=LDAPResult(resultCode=19 (constraint violation),
diagnosticMessage='00000005: AtrErr: DSID-03191080, #1: 0: 00000005: DSID-03191080, problem 1005
(CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)')
```

```
LDAP password change result requestId=be2f0fb3-a090-4bf5-ab9c-97a9e480f6e3,
resultCode=50 (insufficient access rights), resultDetails=LDAPResult(resultCode=50 (insufficient access rights),
diagnosticMessage='00000005: SecErr: DSID-031A11B9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0')
```

Learn more about the recommended configuration for the service account in AD in [Creating a service account for LDAP gateways](p1_creating_service_account_ldap_gateway.html).

## How do I know if a user has entered an incorrect username?

If the LDAP gateway connects to AD, when the provided username cannot locate a user record in AD, look for two `DEBUG` messages similar to the following samples in the gateway client application log:

```
DEBUG 2024-10-10T13:06:30.495Z c.p.l.l.RawLdapSearchesThenOpRequestHandler - Processing message=rawLdapSearchesThenOpRequest requestId=853ea174-6ccf-475d-9db3-a5f38edde100 searches=[SearchRequest(baseDN='CN=Users,DC=example,DC=local', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(|(sAMAccountName=non-existent)(mail=non-existent))', attrs={*, +})]
```

```
DEBUG 2024-10-10T13:06:30.516Z c.p.l.r.internal.SerializationUtils - Search result has entryCount=0
The "non-existent" message and the "Search result has entryCount=0" message indicate the user has entered an incorrect username (or the user record has been deleted in Active Directory).
```

If the LDAP gateway connects to PingDirectory, similar messages are also recorded to the gateway client application log.

## How do I know if a user has entered an incorrect password?

If the LDAP gateway connects to AD, when the provided username is valid but the provided password is not, look for a `DEBUG` message similar to the following sample in the gateway client application log:

```
WARN  2024-10-11T14:09:25.545Z c.p.l.l.RawLdapSearchesThenOpRequestHandler - Received ldap result for requestId=a8336c85-6980-4436-82a2-3f2fcdb3c454, resultCode=49 (invalid credentials), resultDetails=BindResult(resultCode=49 (invalid credentials), messageID=3, diagnosticMessage='80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563 ', hasServerSASLCredentials=false)
```

The `resultCode=49` message indicates the user has entered an incorrect password.

If the LDAP gateway connects to PingDirectory, a similar `resultCode=49` message is also recorded to the gateway client application log.

## My LDAP gateway user migration failed

If your LDAP gateway user migration fails, search for the `Gateway User Migration Failed` event in the list of [Audit Reporting Events](https://developer.pingidentity.com/pingone-api/platform/reference/audit-reporting-events.html). This event is triggered when a just-in-time (JIT) migration is attempted but rejected by the PingOne API.

The event message `Migration for Gateway User <username> failed through Gateway <gateway ID> using User Type <user type ID> due to error: <error message>` shows the following details:

* `username`: The username retrieved from the on-prem LDAP server.

* `error`: The error returned when attempting to import the user using the [PingOne API](https://developer.pingidentity.com/pingone-api/platform/users/users-1/create-user-import.html).

Common failure scenarios include:

* Username and password sign-on: The user authenticated against LDAP, but PingOne couldn't create a profile for them in the cloud.

* Kerberos authentication: The Kerberos token was validated, but the JIT provisioning step failed due to missing or malformed attributes.