Unable to Bind to LDAP or AD

Table of contents
  1. 1. Summary
  2. 2. Troubleshooting steps

(Version 7+)

Problems Binding to the Directory Server or Logging in with a Directory user.

Summary

Most often the problem is with the credential's username/password or the account used to connect to the LDAP/AD directory. However, other aspects involved in creating a connection are:

  • Network/Port problems
  • Domain Controller connection problems
  • Password Server Service problems
  • Server problem
  • Certificate problems

Troubleshooting steps

  1. Increase Logging details

    • Follow instructions for viewing logs (Server & Web) here: increase logging details

      • What is showing in your logs after increasing the logging detail and trying again?
      • Don't forget to change the logging levels back again once you are done Troubleshooting

  2. Directory Credentials are Not Valid

    • Check the accounts used to A) Connect to the Directory Server, or, B) Run the Password Server service:
      • Was the account/password modified?
      • Has the account expired? Is it active?
      • Were privileges of the account changed?

    • Use an administrative account that has sufficient privileges needed for importing users, etc.

    • Also try another tool to test your Directory Credentials (step 7)
       
  3. Username Format

    • Attempt to connect with another username format: username, domain\username, username@domain, username@alias
    • Different username formats are accepted at login vs on the import page:
      • Import Users (only):
        • username                 - sAMAccountname format
        • domain\username
        • username@domain    - UPN format
        • username@alias
      • Login page or Auto-Import:
        • username                 - sAMAccountname format
        • username@alias        - using the Directory Alias, from the Edit Directory page 

  4. Restart Pleasant Password Server Service

  5. (LDAP) Unique Directory Id

    • This attribute should match what is found on the LDAP Directory Server

  6. Change the Directory Host

    • There may be problems connecting to a domain controller
    • Try changing the Directory Host, for example, to: "YourDomain.com" (preferred method)
      • This allows the Domain Controllers to failover, and direct traffic to a controller that is not busy.
    • You can also try to use:
      • address of the primary controller / global catalog
      • IP Address
      • Hostname
    • (see also step 7 - DCdiag tool)

  7. Test LDAP/AD Connection with another Tool

    • Can you see your AD/LDAP server from the Password Server?

      • A) Test connection with ping

      • B) Test connection with a tool such as: LDP, Softerra LDAP Browser, LDAP Admin, PortQry, or Active Directory (AD) Explorer 

      • C) Diagnose DNS Health with the DCdiag tool:

        •  For all DNS Servers (verbose)

          • DCdiag /Test:DNS /e /v > DNShealth.txt

        • On only a selected Domain (verbose)

          •  DCdiag /Test:DNS /e /v /S:yourdomain> DNShealth.txt

        • Read the output file from the bottom up, checking for failures

        • Also see: more advanced diagnostics

  8. Certificate Problems

    • (LDAP) Try binding with the LDAP Admin tool on your Password Server machine, which returns comprehensive certificate warnings and errors.

    • Make sure the Host name set in Password Server exactly matches the corresponding string in the Certificate

    • Try unchecking "Use SSL" on settings for your directory. If you are able to connect, there is likely a problem with the certificate.

  9. Administrative checks
    • Restart services and server
    • Reboot Domain Controller
    • Check correct server date/time

Otherwise, if you are still experiencing problems, please forward your detailed logs to us at Support.

Tag page
You must login to post a comment.