Troubleshooting
Problem
Customers may experience problems while using the SASL Authentication Method with the following connectors: Active Directory Change Detection Connector, JNDI Connector, and LDAP Connector.
Symptom
Please consult the documentation for the connector's specific configuration instructions.
The following exception were captured when connecting to Windows 2008 - Active Directory. It is this engineer's assumption that SASL is enabled by default on Active Directory.
Exception #1:
javax.naming.AuthenticationNotSupportedException: SASL
Exception #2:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Exception #3:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, vece
Diagnosing The Problem
The DSID-0C090*** numbers given in the Symptom section can be used to research further on the cause of the specific exceptions
Resolving The Problem
Solution #1:
The appropriate parameter has not been added to the Extra Provider Parameter section of the connector. Add 'java.naming.security.authentication:DIGEST-MD5' to the 'Extra Provider Parameter' section when the SASL authentication method is selected
Solution #2:
'LDAP: error code 49' is an invalid credential problem. By default the LDAP Connector is in 'Simple' authentication mode. In this mode, the authenticating user's LDAP DN is required. Although, when the authentication mode of the connector is changed to 'SASL', the SAMAccountName of the user must be used.
Solution #3:
The LDAP URL defined in the Connector does not match any servicePrincipalName(SPN) defined in the domain controller. The domain controller object which is of objectClass Computer is usually stored in the container OU=Domain Controllers,dc=your_domain,dc=com
You use the Windows Server Support Tool 'setspn.exe' to add service principal names. (information on setspn is available at http://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx
Was this topic helpful?
Document Information
More support for:
Tivoli Directory Integrator
Software version:
7.1.1, 7.1, 7.0
Document number:
485673
Modified date:
16 June 2018
UID
swg21619040