SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

connect to Active Directory via ldaps

Jump to solution


i'm deploying two-factor authentication for RRAS VPN.

Now i would like to add Identity sources - Active Directory. But i can't:


meantime i can connect to AD via LDP utility:


Labels (1)
1 Solution

Accepted Solutions
4 Replies
Apprised Contributor Apprised Contributor
Apprised Contributor

SecurID cannot protect an RRAS VPN on Win2012, only on Windows 2003 with the old Windows Agent v. 6.1,

but there was another thread on your external Identity Source question, how to get AD users into Authentication Manager.  

Integrate RSA secure ID & LDAP(AD)  

There is a pretty good PowerPoint attached to the bottom of this Discussion that explains how to setup Active Directory as an external Identity Source for Authentication Manager.  The shorter PDF version is attached here.  The PDF is more 'how to' while the .PPT has more of the 'Why'

Thank you Jay.

I imported CA root certificate, but it still doesn't work. without SSL it works.

So, i will sort out with certs.


Try using this KB article to make sure you have the correct certificate imported 000030537 - Get the external Identity Source LDAPS certificate using openssl for Authentication Manager 8.1

Apprised Contributor Apprised Contributor
Apprised Contributor


The Root CA should work, and Mostafa's KB on how to verify is probably the first place to check to make sure the Cert is the right one.

Other trouble-shooting techniques are to use LDAPsearch to browse Active Directory on the Domain Cotroller and capture network traffic from Auth Manager to the DC, to see if the encryption/protocols are negotiated successfully or if the the Request is simply rejected by the DC.

For TCPDump

SSH to the Virtual Appliance with the operating system account rsaadmin.

                sudo su -

<same password again>                                               This makes you root

#             cd /usr/sbin

./tcpdump -i eth0 -s 1514 -Z root  port 389 -w /tmp/ldap.pcap

./tcpdump -i eth0 -s 1514 -Z root  port 636 -w /tmp/ldaps.pcap

chmod 777 /tmp/ ldap*.pcap                                 This grants full permissions to everyone, makes it easy to copy file off with WinSCP and use WireShark to analyze.  If you need to open a case and send us the packet capture.


for LDAPsearch, Open a second SSH and type the following command lines:

sudo su root

cd /usr/bin

Note: Type the following command but changing according to customer’s environment.

./ldapsearch -h { Windows_Domain_Controller} -D { LDAP_UserID } -w { LDAP_UserID_Password } -b {Windows_Domain} -s sub "(objectcategory=person)" sn givenname samaccountname

I am providing the following example from my Lab for your reference.

Windows_Domain_Controller = 2k8r2-dc1.2k8r2-vcloud.local
LDAP_UserID = administrator@2k8r2-vcloud.local
LDAP_UserID_Password = mypass99!
Windows_Domain = dc=2k8r2-vcloud,dc=local

./ldapsearch -h 2k8r2-dc1.2k8r2-vcloud.local -D administrator@2k8r2-vcloud.local -w mypass99! -b "dc=2k8r2-vcloud,dc=local" -s sub "(objectcategory=person)" sn givenname samaccountname


Hat tip to Sergio Dias for that LDAPsearch info.