Error “Logon by password was denied” when logon by domain password

  • 7013136
  • 27-Aug-2013
  • 29-Aug-2013


NetIQ Advanced Authentication 4.8


Authorization Error “Logon by password was denied” when logging in with domain password.


Please first of all check that the logon by password is allowed for the user on NetIQ tab in Active Directory Users and Computers. This also checks that the NetIQ data in directory is not corrupted for the user.

If you are presented with an error, verify other user objects are not affected by repeating the steps above. Once confirmed that the error seems to only affect a particular user, then it is almost certain that the user’s data has become corrupt and should be recreated.

Manually delete NetIQ data for the user via ADSI Edit MMC Snap-in.

1. Connect to the user object in ADSI Edit by selecting, then right-clicking on ADSI Edit beneath the Console Root.

2. Select “Connect To”.

3. In the Connection Settings Dialog, look for the “Connection Point” section, then select the radio button labeled “Select or type a Distinguished Name or Naming Context:”.

4. Supply your DN Path information, such as “DN=parentdomain,DN=childdomain,DC=com” or “DC=domain,DC=com”, etc.

5. Supply any additional configuration information as may be required by your directory.

6. Click “OK” and allow your directory objects to populate the right window pane.

7. Browse to the affected user object.

8. Select then Right Click the affected user object and select “Properties”.

9. Select, press “Edit”, then press “Clear” on each of the following attributes:

  1. bioAuthenticationSet;

  2. bioCustom;
  3. bioSubsystemLicense;
  4. bioUserPassword;
  5. bioUserSettings.

10. You have now cleared the data for this user.

11. Verify that you may now Access the user from the NetIQ User Viewer MMC Snap-in or NetIQ tab in Active Directory Users and Computers.

12. Reset any policies that may have been cleared.

13. Enroll the user, or have the user self-enroll from the NetIQ Client.

Additional Information

Formerly known as 0028.