LDAP unable to connect to DC Hardened
Hello,
Since this morning I can no longer synchronize my multiotp to a hardened server requesting with SSL.
My DC is a Windows 2025 Server. Kerberos work only with AES.
If I try on LDAP port 389 I have this error message: FATAL: AD bind failed. Check the login credentials (49: Invalid credentials). (80090308: LdapErr: DSID-0C090549, comment: AcceptSecurityContext error, data 52e, v65f4)
If I try with 636 port without SSL: Fatal: AD bind failed. Check the login credentials (-1: Can't contact LDAP Server)
And with SSL flag : Fatal AD bind failed. Either the LDAPS connection failed or the login credential ar incorrect (Can't contact LDAP server), (Error in the pull function)
Windows creds was correct. I try with ldp.exe and it's working.
On Windows server a have a warning "ActiveDirectory_DomainService" 2085, error 2148074289
The SSL certificate on my DC was delivered through "Active Directory Certificate Services" maybe multiotp need to know my CA ?
Best regards
Luc
This discussion has been closed.
Comments
We have tested multiOTP Pro and Windows 2025, and LDAPS on port 636 (lDAPS required on Windows 2025), and it works. However, the virtual machine must be at least version 011.
You are currently using an old (005) virtual machine under Hyper-V (based on a separate Email you sent us). The OS of the underlying virtual machine is therefore very old and probably does not properly support the connection with Windows 2025 in TLS.
I therefore suggest the following approach:
Deploy the latest virtual machine available for Hyper-V: https://firmware.multiotp.com/pro/hyper-v/ (there is always a free license included for one user, which will be sufficient for testing).
Test synchronization with your Windows domain on the Windows 2025 server.
Anf if it works:
- Run a backup on the old VM (by entering a backup password).
- Restore the new VM (by entering the same password for the restore).
Please note that version 013 of the virtual machines will be released in the coming weeks.