How to troubleshoot LDAP integration with the SSO in CAPC
search cancel

How to troubleshoot LDAP integration with the SSO in CAPC


Article ID: 30374


Updated On:


CA Network Flow Analysis (NetQos / NFA)



User configured LDAP settings in the SSO but it fails to authenticate a valid LDAP user. The section below describes some troubleshooting steps that can be performed to validate the LDAP configuration in the SSO.

Case 1: User authentication works in the CAPC front end but not in one of the CAPC data sources.

CA Single Sign-On supports all of the following data sources:

? CA Infrastructure Management Data Aggregator

? CA Network Flow Analysis

? CA Application Delivery Analysis

? CA Unified Communications Monitor

When configuring SSO, make sure you select the option "Remote Value" so that settings are propagated to all other CA products registered to this instance of CA Performance Center. Remote Value settings are only used if a corresponding Local Override value is not present. Make sure that the corresponding data source is available is synchronized in CAPC as that's how the information configured in the SSO from the CAPC is propagated down to each data source. If data source synchronization is faulty, then this may cause a problem when attempting to login into one of the data sources.

Case 2: LDAP is configured in the SSO, all data sources are synchronized in the CAPC / NPC but still authentication fails.

Make sure that LDAP settings are configured properly in the SSO, use the steps below to test it:

1. Log in to the server where CA Performance Center or a CA data source product is installed.
Log in as root or with the 'sudo' command.

2. Launch the Single Sign-On Configuration Tool by running the './SsoConfig' command in the following directory:


You are prompted to select an option. The available options correspond to CA applications running on the local server.

3. Use the following commands as needed while you are selecting settings:
? q (quit)
? b (go back to the previous menu)
? u (update)
? r (reset)

4. Enter 5 to test LDAP

The prompt asks you to enter a username.

5. Enter a username and a password that you know can authenticate using LDAP.

Single Sign-On attempts to use the parameters you supplied when you set up LDAP authentication to connect to the LDAP server and validate the user account. If the test succeeds, numerous steps are logged. A message reports whether the authentication succeeded or failed. If it fails, check the error message, the result below is an example of a failed authentication:


SSO Configuration/CA Application Delivery Analysis/Test LDAP
Enter username > nqadmin
Enter password >
We will now attemp to bind to the supplied LDAP server using the LdapConnectionUser and LdapConnectionPassword supplied in the SSO Config utility.
ldapSearchDomain = LDAP://
Could not read the provided ldapEncryption mechanism. Defaulting to SIMPLE authentication
DirContext.SECURITY_PRINCIPAL = [email protected]
Could not obtain a DirectoryContext.
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr:
DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
The specified account does not exist.
Bind to the directory failed.


What the LDAP test shows is that the specified username does not exist in the LDAP directory or is invalid.

Notice from above output shows that the AD-specific error code is the one after "data" and before "vece " in the actual error string returned to the binding process, which is 525 in the above example. See the list below for other codes:

525 user not found
52e invalid credentials
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password
775 user account locked

You use the third party tool below to troubleshoot your LDAP connection and apply the correct LDAP settings in the SSO:



Release: RA50DV99000-2.1-Network Flow Analysis-50 Devices