LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection
Article ID: KB0082569
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | Any Spotfire version |
Description
With Spotfire LDAP authentication setup, users may not be able to login and the server.log may show the following message:
LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection
This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL.
This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2
If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.
Environment
Resolution
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=1
The following Microsoft KB Article explains various workarounds / resolution:
https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo
Note: Always take a backup of the Registry before making any changes.
Issue/Introduction
Additional Information
Feedback
