Unable to Bind to LDAP or AD

(Version 7+)

Problems Binding to the Directory Server or Logging in with a Directory user.

Summary

Most often the problem is with the credential's username/password or the account used to connect to the LDAP/AD directory. However, other aspects involved in creating a connection are:

Troubleshooting steps

  1. Increase Logging details

    • Follow instructions for viewing logs (Server & Web) here: increase logging details

      • What is showing in your logs after increasing the logging detail and trying again?
      • Don't forget to change the logging levels back again once you are done Troubleshooting

  2. Directory Credentials are Not Valid

    • Check the accounts used to A) Connect to the Directory Server, or, B) Run the Password Server service.
      • It may be helpful to reset the password and unlock the account.
      • Other checks:
        • Was the account/password modified?
        • Has the account locked, expired? Is it active?
        • Were privileges of the account changed?

    • Use an administrative account that has sufficient privileges needed for importing users and has access to all the groups Password Server uses

    • Also try another tool to test your Directory Credentials (step 7)
       
  3. Reboot Domain Controllers
  4. Username Format

    • Double-check the possible formats available on the import / login pages. Some formats may not be available to your directory type. Attempt to connect with different username format.

  5. Restart Pleasant Password Server Service

  6. (LDAP) Unique Directory Id

    • This attribute should match what is found on the LDAP Directory Server

       

  7. Change the Directory Host

    • There may be problems connecting to a domain controller
    • Try changing the Directory Host, for example, to: "YourDomain.com" (preferred method)
      • This allows the Domain Controllers to failover, and direct traffic to a controller that is not busy.
    • You can also try to use:
      • address of the primary controller / global catalog
      • IP Address
      • Hostname
    • (see also step 7 - DCdiag tool)

  8. Certificate Problems

    • There may be a problem with the certificate, certificate chain, or the trust of the certificate(s).

      • Make sure the Host name set in Password Server exactly matches the corresponding string in the Certificate
      • If you are using a self-signed Certificate for AD/LDAP, add this certificate into the Password Server's "Trusted Root Authorities" on the Local Computer certificate store.

      • Hosting AD on Azure: only supports LDAPS on port 636

      • Test by unchecking "Use SSL" on settings for your directory. If you are able to connect, there is likely a problem with the certificate.

      • Check for other Certificate Problems

      • (LDAP) Try binding with the LDAP Admin tool on your Password Server machine, which returns comprehensive certificate warnings and errors.

      • Install the Intermediate and/or Root certificate for the Password Server machine onto AD/LDAP machine(s). This allows AD/LDAP to trust the connection.

  9. Test LDAP/AD Connection with another Tool

    • Can you see your AD/LDAP server from the Password Server?

      • A) Test connections to each Domain Controller with a ping

      • B) Ensure Directory services are started

      • C) Test connection with a tool such as: LDP, Softerra LDAP Browser, LDAP Admin, PortQry, or Active Directory (AD) Explorer 

      • D) Diagnose DNS Health with the DCdiag tool:

        •  For all DNS Servers (verbose)

          • DCdiag /Test:DNS /e /v > DNShealth.txt

        • On only a selected Domain (verbose)

          •  DCdiag /Test:DNS /e /v /S:yourdomain> DNShealth.txt

        • Read the output file from the bottom up, checking for failures

        • Also see: more advanced diagnostics

  10. Administrative checks
    • Restart services and server
    • Reboot Domain Controller
    • Check correct server date/time

Otherwise, if you are still experiencing problems, please forward your detailed logs to us at Support.