About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Troubleshooting
Problem
Customers may experience problems while using the SASL Authentication Method with the following connectors: Active Directory Change Detection Connector, JNDI Connector, and LDAP Connector.
Symptom
Please consult the documentation for the connector's specific configuration instructions.
The following exception were captured when connecting to Windows 2008 - Active Directory. It is this engineer's assumption that SASL is enabled by default on Active Directory.
Exception #1:
javax.naming.AuthenticationNotSupportedException: SASL
Exception #2:
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Exception #3:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, vece
Diagnosing The Problem
The DSID-0C090*** numbers given in the Symptom section can be used to research further on the cause of the specific exceptions
Resolving The Problem
Solution #1:
The appropriate parameter has not been added to the Extra Provider Parameter section of the connector. Add 'java.naming.security.authentication:DIGEST-MD5' to the 'Extra Provider Parameter' section when the SASL authentication method is selected
Solution #2:
'LDAP: error code 49' is an invalid credential problem. By default the LDAP Connector is in 'Simple' authentication mode. In this mode, the authenticating user's LDAP DN is required. Although, when the authentication mode of the connector is changed to 'SASL', the SAMAccountName of the user must be used.
Solution #3:
The LDAP URL defined in the Connector does not match any servicePrincipalName(SPN) defined in the domain controller. The domain controller object which is of objectClass Computer is usually stored in the container OU=Domain Controllers,dc=your_domain,dc=com
You use the Windows Server Support Tool 'setspn.exe' to add service principal names. (information on setspn is available at http://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx
[{"Product":{"code":"SSCQGF","label":"Tivoli Directory Integrator"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.1;7.1;7.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
More support for:
Tivoli Directory Integrator
Software version:
7.1.1, 7.1, 7.0
Document number:
485673
Modified date:
16 June 2018
UID
swg21619040