How to find detailed authentication failure information from LDAP’s DirectoryEntry function

A lot of our applications use LDAP’s DirectoryEntry function to authenticate users.

When the authentication request fails, the returned information in the main body will only write general information such as “user name or password error”, but sometimes it is not caused by the wrong password, so we need to get the detailed reason for the failure.

We could use a try-catch block to catch the detailed error info. And the exception type is DirectoryServicesCOMException, we could read the detailed error message in its ‘ExtendErrorMessage’ property.

Try
                    Dim rootDSE As DirectoryEntry = New DirectoryEntry(String.Format("LDAP://{0}/rootDSE", "Your Domain Server"), txtUserName.Text, txtPassword.Text, AuthenticationTypes.Secure Or AuthenticationTypes.Sealing Or AuthenticationTypes.ServerBind)
                    Dim rootDN As String = DirectCast(rootDSE.Properties("defaultNamingContext").Value, String)
                    Dim searchRoot As DirectoryEntry = New DirectoryEntry(String.Format("LDAP://{0}/{1}", "Your Domain Server", rootDN), txtUserName.Text, txtPassword.Text, AuthenticationTypes.Secure Or AuthenticationTypes.Sealing Or AuthenticationTypes.ServerBind)
Dim searcher As DirectorySearcher = New DirectorySearcher(searchRoot)
                    searcher.PropertiesToLoad.Add("cn")
                    searcher.Filter = String.Format("sAMAccountName={0}", txtUserName.Text)
                    searcher.SearchScope = SearchScope.Subtree
                    searcher.CacheResults = False
                    Dim Search As SearchResult = searcher.FindOne()
                    If Search Is Nothing Then
                        bLoggedIn = False
                    Else
                        bLoggedIn = True
                    End If
                    searcher = Nothing
                    Search = Nothing
                Catch ex As DirectoryServicesCOMException
                    Dim ErrorMessage As String = ex.ExtendedErrorMessage
                End Try

The error message looks like ‘8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 775, v1db1' and '009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1'.

You can see that the data "attribute" seems to be unique, and it is the detailed error code of authentication failure. Below is a list of the error codes:

525 - user not found 
52e - invalid credentials 
530 - not permitted to logon at this time 
531 - not permitted to logon at this workstation 
532 - password expired 
533 - account disabled 
534 - The user has not been granted the requested logon type at this machine 
701 - account expired 
773 - user must reset password 
775 - user account locked