Posted Thu, 01 Jan 2015 16:00:00 GMT by

Q. I am trying to setup the InterMapper Authentication Server to authenticate against our Active Directory servers. Every time I use a known good username and password (verified using ldapsearch), I am unable to authenticate and the imauth.log file contains the following errors:

LdapErr: DSID-XXXXXXXX, comment: AcceptSecurityContext error, data 0, vece

Could not connect to : Simple Authentication Failed (80090308: LdapERR: DSID-0C090334, comment: AcceptSecurityContext error

A. IMAuth is getting an error directly from the AD server, but AD doesn't include any information beyond the fact that the authentication attempt failed. This is usually caused by AD rejecting the types of authentication IMAuth is trying to use. Even when an AD server advertises that it supports, for example, the DIGEST-MD5 type, it can still be set up to reject it for all users. IMAuth does not yet support all of AD's authentication types, so it's possible that AD is configured to reject all the types it's trying.

Some possible solutions:

  • 1. If you have control over the AD configuration, you can enable 'simple' authentication, for SSL-encrypted connections only. This causes the passwords to be sent in clear text, which is obviously a security problem. But if it's only allowed for SSL-encrypted connections, and depending on your network, this may be fine.

    2. If you don't have control over the AD configuration, or your network requires especially high security, you can use IMAuth's 'Kerberos' setting, rather than ActiveDirectory or LDAP. ActiveDirectory has Kerberos built-in, and you can find instructions on how to configure IMAuth to use.

    This doesn't require changing the AD server's configuration, and is quite secure, but only works when logging into InterMapper using RemoteAccess. Due to the way Kerberos works, it is not available for telnet or web logins.
Posted Wed, 18 Nov 2015 16:00:00 GMT by

If you are testing AD authentication with the "Use SSL" box unchecked, the Active Directory server will be particular about the host specification for the Domain Controller - you must specify the precise DNS name (case-sensitive), rather than using the IP address.

This is because SASL incorporates the DC's hostname as part of the authentication request.

If you still have problems authenticating, make sure that the user account has 'use reversible encryption' enabled (Windows configuration option), and has had its password changed at least once since that option was enabled.

You must be signed in to post in this forum.