LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection
book
Article ID: KB0082569
calendar_today
Updated On:
Products
Versions
Spotfire Server
Any Spotfire version
Description
With Spotfire LDAP authentication setup, users may not be able to login and the server.log may show the following message: LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection
This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL.
This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2 If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.
Environment
Any OS
Resolution
The resolution would be to configure LDAPS in Spotfire OR set the following registry value on each LDAP server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=1
The following Microsoft KB Article explains various workarounds / resolution: https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo
Note: Always take a backup of the Registry before making any changes.
Issue/Introduction
LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection