Skip to main content
Cisco Meraki Documentation

Troubleshooting Active Directory Authentication issues with Splash Page using Windows Event Viewer

  1. Last updated
  2. Save as PDF

Sign-on Splash page with Active Directory authentication uses LDAP/TLS to securely bind to a Global Catalog for authentication. Specifically, the AP performs a secure LDAP bind to the Domain controller on Global Catalog TCP port 3268 using the admin credentials specified in Dashboard and searches the directory for the user with the credentials entered into the splash page.

Troubleshooting authentication failures

Examining LDAP interface events in the Windows Directory Service Event log can help determine if a bad password or bad username is the cause of the authentication failure. To enable LDAP debugging logs on the Domain Controller, set the LDAP Interface Events to verbose using DWORD value 5 in the Windows registry. Once LDAP events have been enabled, open the Windows Event Viewer and navigate to Applications and Services Logs > Directory Service.
0b2ab785-ae41-4577-8849-d41fc94a3c9a

Before running the widget test or trying to authenticate via the splash page to generate some logs, clear the older logs or filter the current logs over the last hour. This will make it easier to locate the newer events. Right click the Directory Service log and choose Clear log. Then perform authentication attempts.
8c7b60f9-f70f-4af4-bdae-cb3c6b7bede1

After LDAP Events have been generated they can be pieced together to isolate the cause of the authentication failure as described below. 

Bad passwords (Admin or User)

When all users are unable to authenticate to the splash page, it is most likely a bad admin credentials. If some users are able to authenticate then it is probably bad user credentials. Either way the test widget can be used to determine if the admin or the user password is invalid. In the Windows Event log, the SID of the account using the bad password will be shown in a event 1174. If the Active Directory admin password or the user account password is incorrect you will see Events in the following order.

  1. Events 1138 and 1139 always appear when a LDAP search occurs, as shown below. 

14c0b59b-e305-4028-85a7-9a1f9ef5329f

aa5884c0-36a6-40e3-b57c-10ad97ae826e

 

  1. When a bad password is entered, an Event 1174 will immediately follow, showing the SID of the account that attempted to use a bad password. 

82ae6755-1f3c-47b5-aa0a-4378a4478a27

 

You can use the SID specified in the 1174 Event and match it to the user object (Admin or user) properties in Active Directory Users and Computers.

d64779a9-6fac-4663-bc8d-e1b95bdf0b0b

 

  1. Event 1535 will appear after the 1174 and tell you an LDAP error occurred.

d3b2f43b-d89f-4585-8072-f010b8c661bb

 

  1. Event 1215 shows the LDAP client closed the connection. 

b0d6452a-c596-43dd-ab5f-113bf76a4b19

Whichever account SID was specified in the 1174 event is the one that had a bad password. Make sure to use the correct password and try again.

Active Directory Admin account name is invalid

If the Active Directory admin name is invalid or does not exist in the directory all users will fail to authenticate through the splash page and the test widget will report "bad admin password" (previously shown). A 1174 event will not appear because the initial bind request failed. You will see Events 1138 then 1139 immediately followed by a 1535 LDAP error event (previously shown). Finally the LDAP client will close the connection resulting in a 1215 event. In this case, verify the account exists in Active Directory. Try using the UPN i.e. administrator@mydomain.local or just the sAMAccountName i.e. administrator without a prefix or suffix. 

Login username is invalid

If the user account logging into the splash page does not exist in the directory, the username is being entered incorrectly, or the Admin account does not have access to OU containing the user, an LDAP search will complete successfully with no error based Events. Events 1138 and 1139 will be logged when a successful LDAP search has occurred, however a "bad user password" (previously shown) will appear in the test widget and the Sign-on Splash page will alert Access denied. In this case, verify the user account name is valid and that the admin account has read access to the OU containing the user.

Testing LDAP

Once the configuration above has been completed, the Meraki device should be able to communicate with the Active Directory server using TLS. If this fails, Microsoft offers the Ldp.exe tool to ensure that the LDAP service is running and compatible with the current certificate.

Please reference Microsoft documentation for error code details and troubleshooting assistance.

Additional Resources

For more info on troubleshooting splash pages in general, please refer to our documentation regarding Splash Page Traffic Flow and Troubleshooting.