CA IDM with AD Authentication issue
search cancel

CA IDM with AD Authentication issue


Article ID: 131303


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal


By default, CA Identity Manager comes with an out-of-the-box, Default authentication module. The Default module authenticates the user against the directory that is configured for their environment. Two other authentication module choices exist: The Active Directory or a custom module.

Having configured the Active Directory Module for external authentication and trying to login the following error is returned:

Error: AD Internal Error:Check AD



CA Identity Manager 14.x
CA Identity Suite 14.x


This is caused by a congestion on the LDAP port.


Configuring IM to use the Global Catalog port (3268) rather than the default AD LDAP port (389) addresses this issue.

Additional Information

In Identity Manager 14.0 and 14.1 the "" file contains the configuration settings.

The "" file is located as following PATH 


SERVERS=hostname to SERVERS=hostname:3268

The file no longer uses the Active Directory Server settings. In 14.2, you can now manage the configuration in the Authentication Properties section of the Management Console, Environment, <Environment>, User Console screen. The values are persisted with the environment in the CA Identity Manager object store. 

Next Actions: 

Follow these steps: 

1. In the Management Console, select Environment, 
2. Select the environment that you want to manage, and then click Advanced Settings. 
3. The Advanced Settings page appears. Select User Console. 
4. In the Authentication Properties section, select the radio button for "Active Directory" 
5. Click on "Module Properties" enter a corresponding value: 

SERVERS: Specifies the IP address of the Active Directory server(s). Use the following format (no spaces): 
For example:, 

ADMINDN: Specifies the DN of the Administrator ID used to connect to Active Directory. This property is required. For example: 

ADMINPWD: Specifies the Administrator Password for Active Directory. Enter and then confirm this password. This value is required. 

BASEDN: Specifies the Base DN for the User Search in Active Directory. This property is required. For example: cn=Users,ca=companyX,dc=com 

SSL: Determines whether to use SSL. Values are TRUE or FALSE. 

SEARCHFILTER: Specifies a valid LDAP search filter with a variable substitution for an AD User. "%s" must be part of the filter, as it is replaced with the user name in authentication. This property is required. For example, to define a filter when using the default Active Directory User Schema, enter SEARCHFILTER=sAMAccountName=%s 

Note: When using a custom Active Directory User schema, the objectCategory and ObjectClass filters clauses must both be defined in the filter and match the LDAP object classes of the custom schema. For example, enter: SEARCHFILTER=(&(objectCategory=person)(objectClass=CompanyXUser)(sAMAccountName=%s)) 

Once you have configured the settings (see below) , click SAVE and Restart the Environment.