Support Center > Search Results > SecureKnowledge Details
Identity Awareness Configuration Wizard fails with "Gateway could not connect to [IP address] - Credentials are valid but LDAP communication with the server failed" error message (ADV190023) Technical Level
Symptoms
  • Identity Awareness wizard fails due to communication failure with the LDAP server.

  • Login fails, the following message is shown in the daemon debug file:
    "LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"
  • test_ad_connectivity (sk100406) without "-s" parameter hangs, the following error is shown in $FWDIR/log/test_ad_connectivity.elg:
    "an error occurred while binding to ldap server: Strong(er) authentication required"
Cause

Microsoft will add an option to apply new security settings at the beginning of 2020 - LDAP Channel Binding and LDAP Signing for Windows.

For more information, refer to:

Setups that are using LDAP, and not LDAP over SSL, will be impacted. Follow the instructions in the Solution section.

There is no impact on setups with LDAP over SSL.


Solution

Existing setups that are using LDAP, and not LDAP over SSL, will have to enable LDAPS

  1. Enable “Use SSL” option in the Account Unit.
  2. Enable LDAPS on the AD.

New setup

  1. IDA Wizard - when the connection error is received
    1. Select "Ignore the errors and continue to configure the LDAP account" and click “Finish”.
    2. Go to object explorer:
      1. if the Account Unit was created by the wizard, edit the object and enable SSL by editing the server, and selecting “Use Encryption (SSL)” under ‘Encryption’ tab.
      2. If the Account Unit is not created, select New LDAP account, configure the AU settings, and select “Use Encryption (SSL)” under ‘Encryption’ tab.
  2. Enable LDAPS on the AD.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment