Authentication Manager LDAP Connection Fails with "One or More Directory Connections Is Incorrect"
9 days ago
Originally Published: 2016-08-29
Article Number
000044029
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.x
Issue

When testing an LDAP identity source connection in the RSA Authentication Manager Operations Console, the test fails with an error message. Network connectivity to the Active Directory server is confirmed on both LDAP port 389 and LDAPS port 636.

Observable symptoms:

  • Testing the identity source connection in the Operations Console produces the following error:
    There was a problem processing your request.
    Test connection failed. One or more directory connections is incorrect.

     

    User-added image

  • Network connectivity tests via SSH confirm ports 389 and 636 are reachable. Running openssl s_client from the Authentication Manager server returns:
    rsaadmin@am-primary:~> openssl s_client -connect <AD-server-IP>:389
    CONNECTED(00000003)
    write:errno=104
    
    rsaadmin@am-primary:~> openssl s_client -connect <AD-server-IP>:636
    CONNECTED(00000003)
  • A packet capture from the Authentication Manager server shows the Active Directory server rejecting the LDAP bind request with the following error:
    The server requires binds to turn on integrity checking if SSL/TLS are not already active on the connection.

     

    User-added image
 
Cause

The Active Directory Domain Controller has the LDAP server signing requirement policy set to Require signing, which forces all LDAP clients to sign their bind requests. RSA Authentication Manager connects to Active Directory using unsigned LDAP binds by default, which the domain controller rejects when this policy is enforced.

This policy is commonly enabled as part of a Windows Server security hardening initiative, a Group Policy update, or following Microsoft's guidance on mitigating LDAP channel binding and signing vulnerabilities. When enforced, the domain controller terminates any LDAP connection that does not include integrity checking — causing the test connection in the Operations Console to fail, even when network connectivity on port 389 is confirmed.

Resolution

Two resolution paths are available. Choose the option that best fits your organization's security requirements:

 

OptionApproachBest For
Option 1Change the AD LDAP signing policy to allow unsigned connectionsEnvironments where LDAPS is not yet configured
Option 2Switch the identity source protocol from LDAP to LDAPSEnvironments that require encrypted LDAP connections

Option 1: Change the Active Directory LDAP Signing Policy

CAUTION: This change modifies a domain-wide Group Policy setting on your Active Directory Domain Controller. Consult your Active Directory or security team before proceeding, as relaxing the LDAP signing requirement may affect your organization's security posture.

 

  1. On the Active Directory Domain Controller, click Start > Run.
  2. In the text box, type mmc.exe and click OK.
  3. On the File menu, click Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor and click Add.
  5. In the Select Group Policy Object dialog box, click Browse.
  6. In the Browse for a Group Policy Object dialog box, select Default Domain Policy under the Domains, OUs and Linked Group Policy Objects area.
  7. Click OK, then click Finish, then click OK.
  8. Expand the following path in the left panel: Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
  9. Right-click Domain Controller: LDAP server signing requirements and click Properties.
  10. Enable Define this policy setting.
  11. In the drop-down list, change the value from Require signing to None.
  12. Click OK and confirm the change when prompted.

Verification: Return to the RSA Authentication Manager Operations Console and re-test the LDAP identity source connection. Confirm the test returns a success message with no errors.


Option 2: Switch the Identity Source Protocol from LDAP to LDAPS

NOTE: This option requires you to first import the Active Directory SSL certificate into Authentication Manager. Before proceeding with the steps below, follow the steps in Authentication Manager How to Retrieve the LDAPS Certificate and Configure an External Identity Source to Use LDAPS to export and import the AD certificate.

 

  1. Log in to the Operations Console.
  2. Navigate to Deployment Configuration > Identity Sources > Manage Existing.
  3. Click Edit next to the Active Directory identity source.
  4. Locate the Directory Server Settings section.
  5. Change the Protocol field from LDAP to LDAPS.
  6. Update the Port field to 636.
  7. Click Test Connection to verify the new settings.
  8. Click Save once the connection test is successful.

Verification: Confirm the identity source test returns a success message. Navigate to Deployment Configuration > Identity Sources > Manage Existing and confirm the identity source status shows as connected.

Notes

Security Recommendation — Which Option to Choose: Option 2 (switching to LDAPS) is the recommended and more secure approach, as it encrypts all LDAP traffic between Authentication Manager and Active Directory. Option 1 (setting the signing policy to None) removes a security control and should only be used if LDAPS cannot be implemented in your environment. Consult your security team before choosing Option 1.