SecurID^® Discussions

Thanks for the suggestions.

1) Yes I have checked DNS. I logged onto the appliance, was able to resolve the hostname via DNS.

2) Yes I was able to ping the DC.

3) The clocks were out of sync initially, but I fixed it. It made no change.

4) The account being used to test the connection is my domain administrator account. It is not locked out, the password is correct, and permissions should be good.

5) I ran the tcpdump command as you explained. I got a bit of traffic back, but how can I tell when it does a three-way handshake over port 389?

To ensure the traffic is just port 389 and to cut down on any traffic noise we don't care about, we'll add that to the tcpdump statement, and I'll use IP 192.168.1.2 to represent your domain controller: tcpdump -nni eth0 "host 192.168.1.2 and port 389" -Xs0 | more      And to clarify, you want to start this command just before you hit the Test Connection button for the Identity Source.  The results should immediately occur.  1) The first TCP packet should have the RSA IP send a request to 192.168.1.2.389 with "Flags [S]" set. 2) The second packet should be the 192.168.1.2.389 sending a packet to RSA IP with "Flags [S.]" and an "ack" on that line.  3) The third packet should have the RSA IP send a "Flags [.], ack" back to 192.168.1.2.389.  That would be the Syn, Syn-Ack, Ack three-way-handshake for a successful TCP port 389 connection.  Then, the fourth packet would be a "Flags [P.]" set where the RSA IP "pushes" the domain admin account name and its password inside that packet to the domain controller.  The -X option allows you to see the packet contents, so you should be able to see this account name and password.  And, in the tcpdump command, I am making the assumption that eth0 is your transport interface your RSA appliance is using to communicate with the domain controller.

Well I see the two packets with Flags [S.], two with Flags [.], then two with Flags [P.] but the second P doesn't contain my password, but I do see an ldap error. X80090308:.LdapErr:.DSID-0C090447,.comment:.AcceptSecurityContext.error,.data.52e,.v3839.

Then I see a packet with Flags [F.]

Sounds like LDAP configuration on the domain controller needs adjusting or security policy settings associated with it.  I am not very familiar with troubleshooting LDAP, but I found a number of results from doing various searches for those different values in that LDAP error string you provided, so maybe one of those will be useful if you search on those error code values.  Here is one site I am not familiar with, but looked promising and might help ( https://ldapwiki.com/ ) , and there is also the ldp.exe tool that comes with Windows Server that might help.  From the searches, I did see that the code 52e is associated with authentication issues, and I did see a reference to Security Options settings related to LDAP server signing requirements found under Domain Controller Policy, but I almost didn't mention these here because I didn't want to send you down a rabbit hole.  Maybe someone more knowledgeable in LDAP might can chime in.  Good luck! 

I wasnt able to add the AD Identity source initially. I tried a number of methods without any luck. After importing all the domain certs, I tried using Microsoft ADLDS which allowed me to progress to the mapping step. Once here it stated that my source was incorrect and I switched the source from ADLDS to AD and was successful. Not sure if this will help you but this helped me. Just a note that I did not use a domain admin account and I'm not sure why that is a requirement.