000033904 - 'Test connection failed. One or more directory connections is incorrect' error during testing connection from RSA Authentication Manager and Active Directory

Document created by RSA Customer Support Employee on Sep 22, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033904
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 7.x, 8.x
IssueThe test connection for LDAP is not working in the Operations Console, however there is no problem in the network connectivity on either LDAP port 389 or LDAPS port 686.  The issue is resolved if you changed the protocol from LDAP to LDAPS.
When testing, the following error displays:

There was a problem processing your request.
Test connection failed. One or more directory connections is incorrect.

User-added image

Testing from an SSH session with open_ssl s_client is successful:
User-added image

In a packet capture from Authentication Manager, you will find that the connection failed with the following error, as shown in the screen shot below:
The server requires binds to turn on integrity checking if SSL/TLS are not already active on the connection.

User-added image
CauseThere is a policy change applied to the Active Directory server.
How to check the server LDAP signing requirement:
  1. Click Start > Run.
  2. In the text box, type mmc.exe, and then click OK.
  3. On the File menu, click Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.
  5. In the Select Group Policy Object dialog box, click Browse.
  6. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and Linked Group Policy Objects area, and then click OK.
  7. Click Finish.
  8. Click OK.
  9. Expand the Default Domain Controller Policy.  
  10. Expand Computer Configuration.  
  11. Expand Policies.  
  12. Expand Windows Settings.
  13. expand Security Settings.
  14. expand Local Policies.
  15. Click Security Options.
  16. Right click on the domain controller:
  17. Select LDAP server signing requirements and click Properties.
  18. In the domain controller, in the LDAP server signing requirements properties dialog box, enable Define this policy setting.  
  19. Click to select Require signing in the Define this policy setting drop-down list, and then click OK.
  20. In the Confirm Setting Change dialog box, you will find the value is Require Signing.
User-added image
ResolutionIn order to solve this problem we can perform one of two solutions
  1. Change the policy on the AD from Require Signing to None.  This will allow the Authentication Manager to connect to the Active Directory through LDAP protocol.
  2. Change the protocol used on the Operations Console from LDAP to LDAPS and this will require to import the AD certificate to RSA Authentication Manager, by following the on how to get the external Identity Source LDAPS certificate using openssl for Authentication Manager 8.1.