This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

SecurID Access: Repeated LDAP Bind Errors logged

Article Number

000034053

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router

 

Issue

When the RSA Identity Router (IDR) connects to a Microsoft Active Directory (AD) Identity Source, many of the following type of events are logged in the IDR's system log indicating failures to connect to the AD before it is eventually able to successfully connect. Related events are also logged in Microsoft Windows by the AD server.
  
2016-08-22/14:44:37.666/UTC [Thread-505] WARN com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl[94] - 
Failed to create initial dir context for LDAP connection. LDAP server is 'ldap://<ip-address>' principal is '<principal-name>'. 
Try one more time ... 

2016-08-22/14:44:37.669/UTC [Thread-505] ERROR com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl[122] - 
Failed to create initial dir context for LDAP connection. LDAP server is 'ldap://<ip-address>' principal is '<principal-name>'. 
CAUSE: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1]

Cause

Currently, the RSA Identity Router (IDR) connects to Identity Sources by first authenticating using the SASL Digest-MD5 authentication mechanism. If the IDR fails twice to bind using that method, it will default to authenticate using a simple LDAP bind.  An LDAP bind means the user ldap password will be sent in the clear if TLS is not used to secure the communication from the IDR to the Identity Source (Directory server). For Microsoft Active Directory (AD) servers, the SASL Digest-MD5 authentication will only succeed if it is configured a certain way. 

One of the configuration requirements for successful SASL digest-MD5 authentication is that reversible encryption must be configured for the AD Administrator's password. Further, if you do configure the AD administrator to successfully authenticate using the SASL digest-MD5 mechanism, then all SecurID Access web portal authentications will strictly be using SASL Digest. This means all end users that intend to authenticate to the Via Access Web Portal will need to have their password stored using reversible encryption. 

If reversible encryption is not configured in AD, the SASL digest-MD5 mechanism will continue to fail, and you will see related error messages logged every time the IDR attempts to authenticate, before a successful authentication using Simple BIND.  

On the current release of SecurID Access, even if AD is configured appropriately for the SASL digest-MD5 mechanism. SASL digest-MD5 authentication will still fail due to a format error in the principle name that the IDR sends to AD. This issue is currently preventing successful AD authentication with SASL digest-MD5,  

Resolution

RSA is currently reviewing the authentication mechanism between an IDR and an Identity Source.
 

Workaround

There is no current workaround that will prevent these errors from being logged. Unless attempting to use Active Directory's SASL digest-MD5 authentication, this issue's impact is limited to the unexpected error logging.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 06:28 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.