RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
When testing an LDAP identity source connection in the RSA Authentication Manager Operations Console, the test fails with an error message. Network connectivity to the Active Directory server is confirmed on both LDAP port 389 and LDAPS port 636.
Observable symptoms:
- Testing the identity source connection in the Operations Console produces the following error:
There was a problem processing your request. Test connection failed. One or more directory connections is incorrect. - Network connectivity tests via SSH confirm ports 389 and 636 are reachable. Running
openssl s_clientfrom the Authentication Manager server returns:
rsaadmin@am-primary:~> openssl s_client -connect <AD-server-IP>:389 CONNECTED(00000003) write:errno=104 rsaadmin@am-primary:~> openssl s_client -connect <AD-server-IP>:636 CONNECTED(00000003) - A packet capture from the Authentication Manager server shows the Active Directory server rejecting the LDAP bind request with the following error:
The server requires binds to turn on integrity checking if SSL/TLS are not already active on the connection.
The Active Directory Domain Controller has the LDAP server signing requirement policy set to Require signing, which forces all LDAP clients to sign their bind requests. RSA Authentication Manager connects to Active Directory using unsigned LDAP binds by default, which the domain controller rejects when this policy is enforced.
This policy is commonly enabled as part of a Windows Server security hardening initiative, a Group Policy update, or following Microsoft's guidance on mitigating LDAP channel binding and signing vulnerabilities. When enforced, the domain controller terminates any LDAP connection that does not include integrity checking — causing the test connection in the Operations Console to fail, even when network connectivity on port 389 is confirmed.
Two resolution paths are available. Choose the option that best fits your organization's security requirements:
| Option | Approach | Best For |
|---|---|---|
| Option 1 | Change the AD LDAP signing policy to allow unsigned connections | Environments where LDAPS is not yet configured |
| Option 2 | Switch the identity source protocol from LDAP to LDAPS | Environments that require encrypted LDAP connections |
Option 1: Change the Active Directory LDAP Signing Policy
CAUTION: This change modifies a domain-wide Group Policy setting on your Active Directory Domain Controller. Consult your Active Directory or security team before proceeding, as relaxing the LDAP signing requirement may affect your organization's security posture.
- On the Active Directory Domain Controller, click Start > Run.
- In the text box, type
mmc.exeand click OK. - On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor and click Add.
- In the Select Group Policy Object dialog box, click Browse.
- In the Browse for a Group Policy Object dialog box, select Default Domain Policy under the Domains, OUs and Linked Group Policy Objects area.
- Click OK, then click Finish, then click OK.
- Expand the following path in the left panel: Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
- Right-click Domain Controller: LDAP server signing requirements and click Properties.
- Enable Define this policy setting.
- In the drop-down list, change the value from Require signing to None.
- Click OK and confirm the change when prompted.
Verification: Return to the RSA Authentication Manager Operations Console and re-test the LDAP identity source connection. Confirm the test returns a success message with no errors.
Option 2: Switch the Identity Source Protocol from LDAP to LDAPS
NOTE: This option requires you to first import the Active Directory SSL certificate into Authentication Manager. Before proceeding with the steps below, follow the steps in Authentication Manager How to Retrieve the LDAPS Certificate and Configure an External Identity Source to Use LDAPS to export and import the AD certificate.
- Log in to the Operations Console.
- Navigate to Deployment Configuration > Identity Sources > Manage Existing.
- Click Edit next to the Active Directory identity source.
- Locate the Directory Server Settings section.
- Change the Protocol field from LDAP to LDAPS.
- Update the Port field to
636. - Click Test Connection to verify the new settings.
- Click Save once the connection test is successful.
Verification: Confirm the identity source test returns a success message. Navigate to Deployment Configuration > Identity Sources > Manage Existing and confirm the identity source status shows as connected.
Security Recommendation — Which Option to Choose: Option 2 (switching to LDAPS) is the recommended and more secure approach, as it encrypts all LDAP traffic between Authentication Manager and Active Directory. Option 1 (setting the signing policy to None) removes a security control and should only be used if LDAPS cannot be implemented in your environment. Consult your security team before choosing Option 1.
Related Articles
Test connection fails from the RSA ID Plus Cloud Access Service and Identity Router to the SecurID Authentication Manager 1.4KNumber of Views Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures 2.6KNumber of Views How to test RSA SecurID Authentication Manager to ID Plus Cloud Access Service connectivity 848Number of Views How to test RSA Identity Router (IDR) Secure Connector connectivity to the RSA ID Plus Cloud Access Service 2.63KNumber of Views AFX test connector settings button times out and the test connector capabilities work or the test connector capabilities f… 403Number of Views
Trending Articles
RSA Authentication Manager 8.9 Setup and Configuration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings. RSA Authentication Manager Upgrade Process