When trying to login to a MOM that integrates with AD without using EEM, IntroscopeEnterpriseManager.log on a MOM shows below error: 

[DEBUG] [PO:main Mailman 3] [Manager.UserManagementService] Unable to find user "user" because javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1] 

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1] 

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) 

:::::

 Realms.xml is incorrectly configured. 

  First, ensure "plainTextPasswords" is set to True before the first restart of the EM on a MOM. When starting, EM finds this value as True and encrypts a value of "bindPassword" and sets it to False. This is a required action as documented at the APM Wiki (a link is provided below in Additional Information section). 

Try setting "groupMemberQuery" to 

<property name="groupMemberQuery"> 

     <value>(&amp;(objectClass=groupOfUniqueNames)(uniquemember=%u))</value> 

</property> 

 if it is not already, set "baseDN" to 'DC=' values of "bindName" property and vice versa.

For example if "bindName" is already defined as following:

<property name="bindName">

     <value>CN=user,cn=Users,DC=ad-dev-02,DC=com</value>

</property>

 "baseDN" should look like:

<property name="baseDN"> 

<value>DC=ad-dev-02,DC=com</value>

</property> 

https://docops.ca.com/ca-apm/10-5/en/administrating/apm-security/securing-introscope/securing-introscope-using-ldap/ -- Securing Introscope using LDAP.