LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

book

Article ID: KB0082569

calendar_today

Updated On: 01-30-2018

Products Versions
Spotfire Server Any Spotfire version

Description

With Spotfire LDAP authentication setup, users may not be able to login and the server.log may show the following message:
LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection


This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL. 

This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2
If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.

Issue/Introduction

LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

Environment

Any OS

Resolution

The resolution would be to configure LDAPS in Spotfire OR set the following registry value on each LDAP server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=1

The following Microsoft KB Article explains various workarounds / resolution:
https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo

Note: Always take a backup of the Registry before making any changes. 
 

Additional Information

https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo