Directory Wizards Inc
Solutions for your directory needs.
Products Support Knowledgebase Blog About
Knowledgebase

Categories
Active Directory
ADAM
Address Manipulation
Exchange 200x
Exchange 5.5
Exclusions
General
Group as Group Sync
Groupwise
LDAP SSL
LDIF
Licensing & Keys
Lotus Notes / Domino
Map Files
Master/Spoke
Netscape
ODBC
Oracle
Outlook
Outlook 2003
Postini
Profiler
SharePoint
Troubleshooting
Whitepapers
Windows 2000
RSS Feed DirWiz Knowledgebase RSS Feed

Strong Authentication / Server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection
Category: TroubleshootingLast Updated: 2008-04-16
 
Using ldap port 389, the connection’s Test Connect Error reads:
"The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"

Using ldap port 389, Sync run error reads:
> Ldap_bind: Strong Authentication Required
> Ldap_bind: additional info:00002028:ldapERR:DSID-0C090169,comment:
> The server requires binds to turn on the integrity checking if SSL/TLS are not already active on the connection, data 0, vece

These errors indicate your LDAP server is set to Require Signing.  SimpleSync does not perform data signing. With this requirement set on the LDAP directory, SimpleSync fails to bind to the server and returns the error shown above.

Per a Microsoft TechNet article:

Domain controller: LDAP server signing requirements
This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.

Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: Not defined, which has the same effect as None.

Per the TechNet article,  if you connect using SSL, then the data signing is not required.

Ask your AD Admin if SSL is enabled on the AD server. You can test with the SSL LDAP port of 636 (instead of the standard ldap port of 389) to see if that resolves the problem.

If SSL is disabled, you will need to reset the Signing Requirements setting to NONE Then, using the standard ldap port of 389, try the Test Connection again...With signing turned off, the connection should be successful.

*For more info on the Signing Requirements, see the following Microsoft TechNet page*
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/56044016-3123-4859-8fd9-c5a461a1c5c8.mspx


 
Slashdot StumbleUpon