000034053 - SecurID Access: Repeated LDAP Bind Errors logged

Document created by RSA Customer Support Employee on Sep 22, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034053
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
IssueWhen the RSA Identity Router (IDR) connects to a Microsoft Active Directory (AD) Identity Source, many of the following type of events are logged in the IDR's system log indicating failures to connect to the AD before it is eventually able to successfully connect. Related events are also logged in Microsoft Windows by the AD server.
2016-08-22/14:44:37.666/UTC [Thread-505] WARN com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl[94] - 
Failed to create initial dir context for LDAP connection. LDAP server is 'ldap://<ip-address>' principal is '<principal-name>'.
Try one more time ...
2016-08-22/14:44:37.669/UTC [Thread-505] ERROR com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl[122] -
Failed to create initial dir context for LDAP connection. LDAP server is 'ldap://<ip-address>' principal is '<principal-name>'.
CAUSE: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1]
CauseCurrently, the RSA Identity Router (IDR) connects to Identity Sources by first authenticating using the SASL Digest-MD5 authentication mechanism. If the IDR fails twice to bind using that method, it will default to authenticate using a simple LDAP bind.  An LDAP bind means the user ldap password will be sent in the clear if TLS is not used to secure the communication from the IDR to the Identity Source (Directory server). For Microsoft Active Directory (AD) servers, the SASL Digest-MD5 authentication will only succeed if it is configured a certain way. 
One of the configuration requirements for successful SASL digest-MD5 authentication is that reversible encryption must be configured for the AD Administrator's password. Further, if you do configure the AD administrator to successfully authenticate using the SASL digest-MD5 mechanism, then all SecurID Access web portal authentications will strictly be using SASL Digest. This means all end users that intend to authenticate to the Via Access Web Portal will need to have their password stored using reversible encryption. 
If reversible encryption is not configured in AD, the SASL digest-MD5 mechanism will continue to fail, and you will see related error messages logged every time the IDR attempts to authenticate, before a successful authentication using Simple BIND.  
On the current release of SecurID Access, even if AD is configured appropriately for the SASL digest-MD5 mechanism. SASL digest-MD5 authentication will still fail due to a format error in the principle name that the IDR sends to AD. This issue is currently preventing successful AD authentication with SASL digest-MD5,  
ResolutionRSA is currently reviewing the authentication mechanism between an IDR and an Identity Source.
WorkaroundThere is no current workaround that will prevent these errors from being logged. Unless attempting to use Active Directory's SASL digest-MD5 authentication, this issue's impact is limited to the unexpected error logging.