When configuring the Sophos Cloud Active Directory Sync Utility, you are continually re-prompted for the LDAP credentials. When looking in the 'Sophos Cloud AD Sync' Windows Event log you see the error:
Failed active directory synchronization. Reason: SophosADSync.NeedADCredsException: Invalid LDAP credentials ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
First seen in
The most likely cause is that Secure LDAP is not available on the DC the utility is connecting to.
What To Do
After ensuring the following information is entered correctly:
- Address of Domain Controller.
Note: can be IP or server name.
- The Secure LDAP port, by default 636.
- The Windows username to read from AD.
Note: Typically in the form: [domain]\[username].
- Password of the Windows user.
ensure that the DC being connected to is presenting a certificate on the chosen port.
- Version 126.96.36.199 and later of the utility also now permits the use of non secured LDAP.
- By default even where secure LDAP is not configured, the port will be shown in a listening state.
- LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterprise Root CA on a domain controller (although installing a CA on a domain controller is not a recommended practice).
- Microsoft article http://support.microsoft.com/kb/321051 offers additional guidance.
- Microsoft article http://support.microsoft.com/kb/938703 may also be helpful when troubleshooting such issues.