000037609 - Unable to connect to LDAP source Error in RSA Archer

Document created by RSA Customer Support Employee on Jan 1, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037609
Applies ToRSA Product Set: Archer
RSA Product/Service Type: RSA Archer (On-Premise)
RSA Version/Condition: 6.x
Platform: Windows Server 2012 R2 and Windows Server 2016
IssueDuring the LDAP synchronization, the LDAP synchronization fails intermittently with error "Unable to connect to LDAP source. The system attempts this connection 10 more times. (next attempt at xx:xx:xx). Message. The supplied credential is invalid."
 
User-added image
CauseThe error "Unable to connect to LDAP source. The system attempts this connection 10 more times. (next attempt at xx:xx:xx). Message. The supplied credential is invalid". 

When Archer syncs with Active Directory LDAP it will use the Active Directory username to pull the LDAP usernames/groups. If RSA Archer cannot access the LDAP  Active Directory at the scheduled time [due to incorrect Active Directory Domain Username or incorrect password], it automatically tries to connect with the directory 10 times over a 1-hour period, before logging an error record and stopping the synchronization process. 
If the synchronization fails, the sync status is set to inactive. If there are records that are not updated during the synchronization, you can view a text file that details the date, time, and specific records that failed to synchronize. While the sync status is inactive, RSA Archer suspends further synchronization attempts until you manually correct the problems with the connection and set the status to active. For more information please refer to the RSA Archer 6.4 Platform Administrator's Guide on page 523:
https://community.rsa.com/docs/DOC-87077

Possible scenarios that may cause the above error 
  • If the password for the Active Directory username that is used under the LDAP configuration in Archer was changed but password did not update in the LDAP Configuration in Archer
    • Administration > Access Control > LDAP Configurations > Configurations tab > LDAP / Active Directory Server Configuration > Password
  • If someone updated the Active Directory username incorrectly by typing incorrect Active Directory username under the LDAP Configuration in Archer
    • Administration > Access Control > LDAP Configurations > Configurations tab > LDAP / Active Directory Server Configuration > User Name
  • If someone  incorrectly updated IP Address/Fully Qualified Name of the Active Directory LDAP that is used under the LDAP configuration in Archer
    • Administration > Access Control > LDAP Configurations > Configurations tab > LDAP / Active Directory Server > Name / IP Address
  • If incorrect Base Distinguish Name (DN) is used under the LDAP configuration in Archer
    • Administration > Access Control > LDAP Configurations > Configurations tab > User Field Mapping > Base DN
  • Some organization may have the password lockout group policy, for instance, they may configure the group policy to lockout the Active Directory username after three attempts, If someone types the credential three times incorrectly of the Active Directory username that is used under the Archer LDAP Configuration in Archer, once Archer try to Sync with LDAP Active Directory the LDAP sync will fail because the username is already locked.
  • If the Firewall is blocking the traffic from the Archer [where the LDAP Sync service is running] to the LDAP Active Directory. For instance, Archer is using the port 389 to connect to the  LDAP Active Directory and if the port 389 is blocked on the LDAP Active Directory then you will get the above error.
  • Issue with the Certificate, for instance, invalid/expired certificate and sometimes if the certificate is not in the Trust Root certificate store on the server running the Archer LDAP Sync service.

      Resolution
      • Ensure the correct Active Directory Username is used under the LDAP Configuration in Archer.
        • Administration > Access Control > LDAP Configurations > Configurations tab > LDAP / Active Directory Server Configuration > User Name
      • If the password for the Active Directory Username is changed in the Active Directory you MUST update the password under the LDAP Configuration in Archer.
        • Administration > Access Control > LDAP Configurations > Configurations tab > LDAP / Active Directory Server Configuration > Password
      • If the IP Address/Fully Qualified Name of the Active Directory LDAP has changed used under the LDAP configuration in Archer, You MUST update the Username under the LDAP Configuration in Archer. 
        • Administration > Access Control > LDAP Configurations > Configurations tab > LDAP / Active Directory Server > Name / IP Address
      • Ensure the Base Distinguish Name (DN) path is correct under the LDAP Configuration  in Archer
        • Administration > Access Control > LDAP Configurations > Configurations tab > User Field Mapping > Base DN
      • Ensure the Firewall is not blocking the traffic from the Archer [where the LDAP Sync service is running] to the LDAP Active Directory
      • Check with Windows Administrator and ensure the password for the Active Directory username that is used under the LDAP configuration in Archer in not locked.
      • Check with Windows Administrator and ensure there is not issue with the certificate.
      • If there are multiple LDAP Active Directory servers or Active Directory Farm and we are trying to connect to it, you may isolate the issue by connecting to them one-by-one. 
      Note: As best practice please do NOT use the Archer LDAP Service account [the Archer Service account that is used to run the RSA Archer Configuration, Job Engine, LDAP Sync, Queuing, Wrokflow] with the User Name under the LDAP Configuration in Archer [Administration > Access Control > LDAP Configurations > Configurations tab > LDAP / Active Directory Server Configuration > User Name], because if you use the Archer Service account with the User Name under the LDAP Configuration in Archer when there is issue with Sync, Archer will try to connect with the LDAP Active Directory 10 times over a 1-hour period, the Archer Service account may get locked out and as result of that ALL the Archer Services [RSA Archer Configuration, Job Engine, LDAP Sync, Queuing, Wrokflow] will stop working and user won't be able to login to Archer User interface.

      Outcomes