LDAP authentication fails with LDAPMessage bindResponse strongAuthRequired

book

Article ID: 38697

calendar_today

Updated On:

Products

APPLICATION DELIVERY ANALYSIS SUPERAGENT

Issue/Introduction

Issue/Problem/Symptoms: 

User configures LDAP integration in the SSO utility however when testing user authentication, the LDAP test fails with the error below:

SSO Configuration/CA Performance Center:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option > 5

 

SSO Configuration/CA Performance Center/Test LDAP
Enter username > jessica
Enter password > ********
The UserBind option has been selected. We will now perform the first bind with the LdapConnectionUser and LdapConnectionPassword supplied in the SSO Config utility.
ldapSearchDomain = ldap://ldapserver.company.com/
ldapTimeout = 10000
DirContext.SECURITY_AUTHENTICATION = simple
DirContext.SECURITY_PRINCIPAL = CN=Service Account,DC=netqossupport,DC=local
DirContext.SECURITY_CREDENTIALS set
Could not obtain a DirectoryContext.
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1]

Bind to the directory failed.

Environment:  

This problem can happen with the following products that uses Single Sign-On authentication with LDAP integration:

  • CA Performance Management
  • CA Network Flow Analysis
  • CA Application Delivery Analysis
  • CA Unified Communications Monitor

Cause: 

 

This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL. The registry key below should be set to the default value in the AD Server or LDAPS should be configure to securely connect to the AD Server.

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity

 

Resolution/Workaround:

Please check the Microsoft KB to resolve this issue from the AD Server:

https://support.microsoft.com/en-us/kb/2545140

If LDAPS is required due to company's policy, please follow the LDAPS configuration instructions, check additional information below.

Additional Information:

https://docops.ca.com/ca-performance-management/2-5/en/administrating/single-sign-on/set-up-ldap-authentication/enable-ldaps-authentication

 

Environment

Release: RAIB1H99000-9.3-Network Flow Analysis-Interface Bundle-Hardware
Component: