This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Test connection failed. One or more directory connections is incorrect error during testing connection from RSA Authentication Manager and Active Directory

Article Number

000033904

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.x

Issue

The test connection for LDAP is not working in the Operations Console. There is no problem in network connectivity on either LDAP port 389 or LDAPS port 636. The issue is resolved if you change the protocol from LDAP to LDAPS.

When testing, the following error displays:

There was a problem processing your request.
Test connection failed. One or more directory connections is incorrect.

Image descriptionImage description
 

Testing from an SSH session with open_ssl s_client is successful: 
rsaadmin@am1p:~> openssl s_client -connect 192.168.2.120:389
CONNECTED(00000003)
write:errno=104
rsaadmin@am1p:~> openssl s_client -connect 192.168.2.120:636
CONNECTED(00000003)

In a packet capture from RSA Authentication Manager, you find that the connection failed with the following error, as shown in the screenshot below:
 
The server requires binds to turn on integrity checking if SSL/TLS are not already active on the connection.
 
Image descriptionImage description

Cause

There is a policy change that is applied to the Active Directory server.

How to check the server LDAP signing requirement:
  1. Click Start > Run.
  2. In the text box, type mmc.exe, and then click OK.
  3. On the File menu, click Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.
  5. In the Select Group Policy Object dialog box, click Browse.
  6. In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and Linked Group Policy Objects area.
  7. Click OK.
  8. Click Finish.
  9. Click OK.
  10. Expand the Default Domain Controller Policy
  11. Expand Computer Configuration
  12. Expand Policies
  13. Expand Windows Settings.
  14. Expand Security Settings.
  15. Expand Local Policies.
  16. Click Security Options.
  17. Right click on the domain controller:
  18. Select LDAP server signing requirements and click Properties.
  19. In the domain controller, in the LDAP server signing requirements properties dialog box, enable Define this policy setting
  20. Click to select Require signing in the Define this policy setting drop-down list, and then click OK.
  21. In the Confirm Setting Change dialog box, you find the value is Require Signing.
Image descriptionImage description

Resolution

In order to solve this problem, you can perform one of two solutions:
  1. Change the policy on the AD from Require Signing to None. This allows the RSA Authentication Manager to connect to the Active Directory through LDAP protocol.
  2. Change the protocol that is used on the Operations Console from LDAP to LDAPS. This requires you to import the AD certificate to RSA Authentication Manager. Follow the steps to get the external Identity Source LDAPS certificate using openssl for Authentication Manager 8.1.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 10:34 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.