Skip to main content
NetApp Knowledge Base

Operations using Secure LDAP fail, due to (enforced) ChannelBinding

Views:
664
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • ONTAP 9
  • Microsoft LDAP server
  • Secure LDAP
  • LDAPS
  • Start-TLS

Issue

  • Operations which require an LDAP connection between ONTAP and the MS LDAP Server (e.g. change the acl of a file, AD site discovery) fail.
  • In the EMS and SECD logs 'Invalid credentials' events are being reported, which seem to be related to the failure when initiating the secure LDAP connection.

Event in EMS

secd: secd.conn.auth.failure:notice]: Vserver (<vserver>) could not authenticate over the network to server (). Error: Invalid credentials (Service: LDAP (Active Directory), Operation: SiteDiscovery).
 
 
Depending on whether LDAPS or START-TLS is used, it will manifest itself in the SECD logs slightly different.
 
 
Event in SECD if LDAPS is used (notice how this uses port 636) [Use LDAPS for AD LDAP connection]
 
00000013.007e944b 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] Failure Summary:
00000013.007e944c 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] Error: User authentication procedure failed
00000013.007e944d 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] CIFS SMB2 Share mapping - Client Ip = 1.2.3.4
00000013.007e944e 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] ...
00000013.007e944f 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 9988] Successfully connected to ip 1.2.3.51, port 636 using TCP
00000013.007e9450 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Unable to start LDAPS: Invalid credentials
00000013.007e9451 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Additional info: 80090346: LdapErr: DSID-0C090588, comment: AcceptSecurityContext error, data 80090346, v2580
00000013.007e9452 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Unable to connect to LDAP (Active Directory) service on <server.domain> (Error: Invalid credentials)
up.
 
Event in SECD if START-TLS is used [Use start_tls for AD LDAP connection]
 
00000013.007e944b 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] Failure Summary:
00000013.007e944c 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] Error: User authentication procedure failed
00000013.007e944d 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] CIFS SMB2 Share mapping - Client Ip = 1.2.3.4
00000013.007e944e 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] ...
00000013.007e944f 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 9988] Successfully connected to ip 1.2.3.51, port 389 using TCP
00000013.007e9450 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Unable to start LDAPS: Invalid credentials
00000013.007e9452 0fc9a7d2 Mon Nov 02 2020 06:14:14 +01:00 [kern_secd:info:8211] [ 10202] Unable to connect to LDAP (Active Directory) service on <server.domain> (Error: Invalid credentials)

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support