Product: TIBCO Spotfire®
LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection
With Spotfire LDAP authentication setup, users may not be able to login and the server.log may show the following message:
LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection
This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL.
This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2
If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.
The resolution would be to configure LDAPS in Spotfire OR set the following registry value on each LDAP server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=1
The following Microsoft KB Article explains various workarounds / resolution:
https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo
Note: Always take a backup of the Registry before making any changes.
https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo
Comments
0 comments
Article is closed for comments.