Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Cannot connect to LDAP Server on port 389, 3268 and 636.

10/26/2021 1,128 People found this article helpful 138,627 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Email Security LDAP authentication fails even though credentials are correct on port 389, 3268 and 636

    WebUI log shows the following:
     
    EXCEPTION THROWN LdapAuth.login(): UNABLE to connect to the primary LDAP server : javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSLTLS are not already active on the connection, data 0, v1772

    Cause

    This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL.
     
    This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers:

    This issue is  seen many times after a Microsoft update.

    Resolution

    NOTE: Microsoft Article :http://support.microsoft.com/kb/2545140.

    There are 2 methods to resolve this issue:
     
     Method 1 

    • Change the policy Domain controller: LDAP server signing requirements on the Domain Controllers to None which will set the LDAP Data signing to not require in order to bind with the server. However, if the client requests data signing, the server supports it.
      Image

    •  Setting this policy to "none" will also change the following registry setting on all DCs:
      HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParametersLDAPServerIntegrity=1

      NOTE:This is the default setting.

    • Once this setting is changed on the DC, the ESP server should allow unsecured LDAP Authentication and the process in KB2441205 will allow authentication against active directory from the ESP Administrator.

     
    Method 2

    •  Configure the ESP Adminserver process to bind securely with the LDAP server hosted by the Windows Domain Controller.In order to accomplish this the following steps must be completed:
       
    1. Obtain the Domain Controllers Self-Signed SSL Server Certificate.

      NOTE: One can refer to the Windows security group to obtain the required certificate.

    2. Once the appropriate certificate is obtained, one must install the certificate in the Trusted Root Certification Authorities Container on the FAST ESP Server.  
    3. Test the secure LDAP connection from the ESP Server using LDP.EXE.
      See the following to obtain more information on obtaining and utilizing LDP.EXE: 
      Ldp Overview
      http://technet.microsoft.com/en-us/library/cc772839(WS.10).aspx 

    4. Launch LDP.EXE from the FAST ESP Admin Server. 
    5. Choose Connection from the file menu. 
    6. Choose Connect from the drop down menu. 
    7. Type the name of the DC with which to establish a connection.
      Image

    8. Change the port number to 636.

      NOTE: 636 is the secure LDAP port (LDAPS).

    9. Choose the checkbox SSL to enable an SSL connection.
    10. Click OK to test the connection.
    11. If successful, a secure LDAPS connection is established to the DC and validates the certificate that was installed in step 2.
    12. At this point the Root CA SSL Certificate that was obtained in step 1, must be installed into the JAVA Key Store to ensure that the JAVA based ESP Adminserver component will be able to successfully establish a secure LDAP connection to the DC.

    13. This step can be accomplished by using keytool that is shipped with JAVA:

      EXAMPLE: $JAVA_HOME/bin/keytool -import -alias root -keystore $JAVA_HOME/lib/security/cacerts -trustcacerts -file <path-to-ssl-certificate>/ldap-server.cer

      NOTE: The certificate is added to the default JVM truststore $JAVA_HOME/lib/security/cacerts, and added with the alias 'root'.
      <path-to-ssl-certificate>/ldap-server.cer refers to the SSL certificate which the JVM client uses to trust the LDAP server.

      See the following Information for assistance with this process:Importing a Certificate for the CA:http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html.

    14. Once the DC Root Cert is successfully imported into he Java Keystore, open and edit the login.conf file in path: %FASTSEARCH%adminserverwebappsadminserverWEB-INFlogin.conf
    15. Modify the existing entry:
      LDAP {
      no.fast.vespa.security.auth.JaasLdapProvider required
      providerURL="ldaps://gc1.contoso.com:636 "
      principalFormat="{0}@contoso.coml (@contoso.coml) ";

      Where ldaps://gc1.contoso.com:636is the full LDAP URL to company’s LDAP server, and where @contoso.com is a common part of all user names.

      NOTE: The difference in this setting compared with KB2441205 is the LDAP URL is being changed to ldaps and port 636 which is required to establish a secure ldap connection.

    16. Edit the file %FASTSEARCH%adminserverwebappsadminserverWEB-INFclassesesp4j-security-context.xml. 
    17. Change the loginContextname property to LDAP on the bean with id id="jaasAuthenticatorTarget".
      NOTE: The property specifies which login context to use. Changing this setting to LDAP will activate the login context specified in WEB-INFlogin.conf.

      EXAMPLE:  <bean id="jaasAuthenticatorTarget" class="no.fast.vespa.security.auth.JaasAuthenticator">    <property name="loginConfig">      <value>/WEB-INF/login.conf</value>    </property>    <property name="loginContextName">      <value>LDAP</value>    </property>    <property name="callbackHandlers">      <list>        <bean class="net.sf.acegisecurity.providers.jaas.JaasNameCallbackHandler"/>        <bean class="net.sf.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/>      </list>    </property></bean>

    18. Restart Adminserver:
      nctrl stop adminserver
      nctrl start adminserver

    19. Login to the admin node and navigate to FAST Home |User Administration | Create Users & Groups.
    20. Create a user with the same name as the Windows user that requires access rights to ESP.
    21. Select This user will be authenticated by an external management system.
    22. Give this user rights in ESP,

      EXAMPLE: choose “may create and delete users and groups (admin)":

      NOTE: If one chooses to authenticate a user by an external user management system, the User Name field must match the user login of the external user management system (AD User account in this case). It is not required to fill in the e-mail and password fields for users  authenticated through an external user management system.

    23. Once these changes are made, one can log into the ESP admin console with mapped external accounts that are maintained in the Windows Domain.

    Related Articles

    • SonicWall HES IP address blocklisted by UCEProtect or Backscatter
    • How to add O365 connector for domain specific routing
    • SonicWall Email Security on Hyper-V Platform

    Categories

    • Email Security > Email Security Appliance
    • Email Security > Email Security Software
    • Email Security > Hosted Email Security
    • Email Security > Hosted Email Security > LDAP Configuration
    • Email Security > Email Security Appliance > LDAP Configuration

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:d62c1600f02b62e6dd5d68769b847134-94