01-27-2009 08:50 AM - edited 03-10-2019 04:18 PM
I have setup an AAA connection from my ASA5505 to my MS-AD domain controller for VPNs (SSL and client). It was working, however, last week the connection between the two failed and I cannot get it back up again.
I've checked password, usernames, object locations etc. but to no avail. When I do an auth test, this is the debug ldap 225 output:
[722] Session Start
[722] New request Session, context 0xd4e225c8, reqType = 1
[722] Fiber started
[722] Creating LDAP context with uri=ldap://w.x.y.z:389
[722] Connect to LDAP server: ldap://w.x.y.z:389, status = Successful
[722] supportedLDAPVersion: value = 3
[722] supportedLDAPVersion: value = 2
[722] Binding as administrator
[722] Performing Simple authentication for FirewallTest to w.x.y.z
[722] Simple authentication for FirewallTest returned code (49) Invalid credentials
[722] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[722] Fiber exit Tx=253 bytes Rx=583 bytes, status=-2
[722] Session End
I have tried the age-old "remove and re-add" fix, but this has not worked.
Any thoughts?
Solved! Go to Solution.
01-28-2009 06:23 AM
Have you checked the the user account used for binding to the LDAP server (AD) has not change it's privileges, I remember that after applying a patch to an AD server most of the Admin accounts were changed to local admin rather than domain admin accounts.
Also, try reseting the password for this account and see if you have the login-dn correct, get the "dsquery user -name
01-28-2009 06:23 AM
Have you checked the the user account used for binding to the LDAP server (AD) has not change it's privileges, I remember that after applying a patch to an AD server most of the Admin accounts were changed to local admin rather than domain admin accounts.
Also, try reseting the password for this account and see if you have the login-dn correct, get the "dsquery user -name
01-28-2009 08:50 AM
I will check. However, the account was never a domain admin in the first place...
01-28-2009 09:52 AM
regardless of make sure that the privilege to read the domain is enabled, if not then enable it.
02-03-2009 08:14 AM
It's working after the password reset: I suspect it had expired...
Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide