Active Directory Sync Utility re-prompts for the LDAP credentials

  • Article ID: 120948
  • Updated: 29 Jul 2014

Issue

When configuring the Sophos Cloud Active Directory Sync Utility, you are continually re-prompted for the LDAP credentials.  When looking in the 'Sophos Cloud AD Sync' Windows Event log you see the error:

Failed active directory synchronization. Reason: SophosADSync.NeedADCredsException: Invalid LDAP credentials ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)

First seen in

Sophos Cloud

Cause

The most likely cause is that Secure LDAP is not available on the DC the utility is connecting to.

What To Do

After ensuring the following information is entered correctly:

  • Address of Domain Controller.  
    Note: can be IP or server name.

  • The Secure LDAP port, by default 636.

  • The Windows username to read from AD.
    Note: Typically in the form: [domain]\[username].

  • Password of the Windows user.

ensure that the DC being connected to is presenting a certificate on the chosen port.  

Notes: 

  • Version 1.1.120.0 and later of the utility also now permits the use of non secured LDAP.
  • By default even where secure LDAP is not configured, the port will be shown in a listening state.
  • LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterprise Root CA on a domain controller (although installing a CA on a domain controller is not a recommended practice).
  • Microsoft article http://support.microsoft.com/kb/321051 offers additional guidance.
  • Microsoft article http://support.microsoft.com/kb/938703 may also be helpful when troubleshooting such issues.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments