Directory Wizards Inc.

Solutions For Your Directory Needs

RSS feed
Add to Google


 

Categories

Knowledgebase

Strong Authentication / Server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

Category:Troubleshooting

Last Updated:2011-08-03

 

Download PDF version

 

Using ldap port 389, the connection’s Test Connect Error reads:
"The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"

Using ldap port 389, Sync run error reads:
> Ldap_bind: Strong Authentication Required
> Ldap_bind: additional info:00002028:ldapERR:DSID-0C090169,comment:
> The server requires binds to turn on the integrity checking if SSL/TLS are not already active on the connection, data 0, vece

These errors indicate your LDAP server is set to Require Signing.  UnitySync does not perform data signing. With this requirement set on the LDAP directory, UnitySync fails to bind to the server and returns the error shown above.

Per a Microsoft TechNet article:

Domain controller: LDAP server signing requirements
This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:
None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.

Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: Not defined, which has the same effect as None.


Per the TechNet article,  if you connect using SSL, then the data signing is not required.

Ask your AD Admin if SSL is enabled on the AD server. You can test with the SSL LDAP port of 636 (instead of the standard ldap port of 389) to see if that resolves the problem.

If SSL is disabled, you will need to reset the Signing Requirements setting to NONE Then, using the standard ldap port of 389, try the Test Connection again...With signing turned off, the connection should be successful.

*For more info on the Signing Requirements, see the following Microsoft TechNet page*
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/56044016-3123-4859-8fd9-c5a461a1c5c8.mspx