Introduction

Applications use LDAP service accounts to bind to the directory for user authentication and directory lookups. When the service account password expires in Active Directory -- typically due to domain password expiration policies -- all applications using that account fail to authenticate against LDAP, causing widespread authentication outages.

Symptoms

  • All LDAP-dependent applications fail to authenticate users
  • Application logs show LDAP: error code 49 - Invalid Credentials or Password expired
  • LDAP bind test with the service account returns password expired error
  • Active Directory shows the service account with expired password status
  • Error message: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 773

Common Causes

  • Active Directory password expiration policy applying to the service account
  • Service account not configured with "Password never expires" flag
  • Password rotation not automated for LDAP service accounts
  • Account lockout policy triggering after repeated bind attempts with expired password
  • Service account created through normal user provisioning with default password policy

Step-by-Step Fix

  1. 1.Confirm the service account password has expired: Check AD status.
  2. 2.```powershell
  3. 3.# On Active Directory server
  4. 4.Get-ADUser -Identity "ldap-svc" -Properties PasswordExpired, PasswordLastSet, AccountExpirationDate | Select Name, PasswordExpired, PasswordLastSet
  5. 5.# Should show: PasswordExpired: True
  6. 6.`
  7. 7.Reset the service account password: Set a new password.
  8. 8.```powershell
  9. 9.# Reset password and set to never expire
  10. 10.Set-ADAccountPassword -Identity "ldap-svc" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewComplexPassword123!" -Force)
  11. 11.Set-ADUser -Identity "ldap-svc" -PasswordNeverExpires $true
  12. 12.# Verify
  13. 13.Get-ADUser -Identity "ldap-svc" -Properties PasswordNeverExpires | Select PasswordNeverExpires
  14. 14.`
  15. 15.Update all dependent applications with the new password: Propagate the change.
  16. 16.```yaml
  17. 17.# Update application LDAP configuration
  18. 18.# For each application using the LDAP bind account:
  19. 19.# - Update the bind password in the application config
  20. 20.# - Restart the application to reload the configuration
  21. 21.`
  22. 22.Test LDAP bind with the new credentials: Verify the fix works.
  23. 23.```bash
  24. 24.ldapsearch -H ldap://ad.example.com:389 \
  25. 25.-D "CN=ldap-svc,OU=Service Accounts,DC=example,DC=com" \
  26. 26.-w "NewComplexPassword123!" \
  27. 27.-b "DC=example,DC=com" \
  28. 28."(sAMAccountName=testuser)" dn
  29. 29.# Should return the user's DN if bind is successful
  30. 30.`
  31. 31.Monitor LDAP authentication across all applications: Verify full recovery.
  32. 32.```bash
  33. 33.# Check each application's LDAP authentication status
  34. 34.# Monitor for any remaining bind failures
  35. 35.# Verify users can authenticate through all dependent applications
  36. 36.`

Prevention

  • Configure LDAP service accounts with "Password never expires" in Active Directory
  • Store service account passwords in a secrets manager with rotation automation
  • Monitor LDAP bind failure rates and alert on authentication errors
  • Maintain an inventory of all applications using each LDAP service account
  • Document the LDAP service account password reset procedure in a runbook
  • Test LDAP connectivity after any Active Directory password policy changes