000033904 - Test connection failed. One or more directory connections is incorrect error during testing connection from RSA Authentication Manager and Active Directory

Document created by RSA Customer Support Employee on Sep 22, 2016Last modified by RSA Customer Support on May 21, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033904
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.x
IssueThe test connection for LDAP is not working in the Operations Console. There is no problem in network connectivity on either LDAP port 389 or LDAPS port 636. The issue is resolved if you change the protocol from LDAP to LDAPS.

When testing, the following error displays:

There was a problem processing your request.
Test connection failed. One or more directory connections is incorrect.



User-added image
 


Testing from an SSH session with open_ssl s_client is successful:

rsaadmin@am1p:~> openssl s_client -connect 192.168.2.120:389
CONNECTED(00000003)
write:errno=104
rsaadmin@am1p:~> openssl s_client -connect 192.168.2.120:636
CONNECTED(00000003)


In a packet capture from RSA Authentication Manager, you find that the connection failed with the following error, as shown in the screenshot below:
 
The server requires binds to turn on integrity checking if SSL/TLS are not already active on the connection.
 


User-added image
CauseThere is a policy change that is applied to the Active Directory server.

How to check the server LDAP signing requirement:
  1. Click Start > Run.
  2. In the text box, type mmc.exe, and then click OK.
  3. On the File menu, click Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.
  5. In the Select Group Policy Object dialog box, click Browse.
  6. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and Linked Group Policy Objects area.
  7. Click OK.
  8. Click Finish.
  9. Click OK.
  10. Expand the Default Domain Controller Policy
  11. Expand Computer Configuration
  12. Expand Policies
  13. Expand Windows Settings.
  14. Expand Security Settings.
  15. Expand Local Policies.
  16. Click Security Options.
  17. Right click on the domain controller:
  18. Select LDAP server signing requirements and click Properties.
  19. In the domain controller, in the LDAP server signing requirements properties dialog box, enable Define this policy setting
  20. Click to select Require signing in the Define this policy setting drop-down list, and then click OK.
  21. In the Confirm Setting Change dialog box, you find the value is Require Signing.

User-added image
ResolutionIn order to solve this problem, you can perform one of two solutions:
  1. Change the policy on the AD from Require Signing to None. This allows the RSA Authentication Manager to connect to the Active Directory through LDAP protocol.
  2. Change the protocol that is used on the Operations Console from LDAP to LDAPS. This requires you to import the AD certificate to RSA Authentication Manager. Follow the steps to get the external Identity Source LDAPS certificate using openssl for Authentication Manager 8.1.

Attachments

    Outcomes