LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

book

Article ID: KB0082569

calendar_today

Updated On:

Products Versions
Spotfire Server Any Spotfire version

Description

With Spotfire LDAP authentication setup, users may not be able to login and the server.log may show the following message:
LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection


This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL. 

This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2
If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.

Environment

Any OS

Resolution

The resolution would be to configure LDAPS in Spotfire OR set the following registry value on each LDAP server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=1

The following Microsoft KB Article explains various workarounds / resolution:
https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo

Note: Always take a backup of the Registry before making any changes. 
 

Issue/Introduction

LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

Additional Information

https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo