Strong Authentication: Error message “Server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection”

Created: 2012-04-20 08:09:59
Modified: 2017-05-08 17:00:41
Tags: Active Directory Errors LDAP SSL Troubleshooting UnitySync

Error text

When utilizing the Test functionality on the Destination tab and are configured to use LDAP port 389, you receive an error that reads:

The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

Or, when you attempt to Sync using LDAP port 389, you receive an error that reads:

Ldap_bind: Strong Authentication Required
Ldap_bind: additional info:00002028:ldapERR:DSID-0C090169,comment:
The server requires binds to turn on the integrity checking if SSL/TLS are not already active on the connection, data 0, vece

These errors indicate your LDAP server is configured to Require Signing. UnitySync, however, does not perform data signing. With this requirement configured on the LDAP directory, UnitySync fails to bind to the server and returns the error shown above.

Solution

Per a Microsoft TechNet article:

Domain controller: LDAP server signing requirements

This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.

Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: Not defined, which has the same effect as None.

Per the TechNet article, if you connect using SSL, data signing is not required.

Ask your Active Directory Administrator if SSL is enabled on the AD server. You can test with the SSL LDAP port of 636 (instead of the standard ldap port of 389) to see if that resolves the problem.

If SSL is disabled, you will need to reset the Signing Requirements setting to NONE. Then, using the standard LDAP port of 389, try the Test Connection again. With signing turned off, the connection should be successful.

(The Microsoft article referenced is located at https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-login-fails-with-ldaperr-dsid-0c0901fc)

Share this article:
Knowledgebase

Directory
  1. Directify - Self Service

  2. Mimic - Replication

  3. UnitySync - Sync
Password
  1. emPass - Sync
Obsolete
  1. Profiler
  2. SimpleSync