Resolve a Bind Error in Active Directory Authentication

If you have problems with user authentication through your Active Directory server and find the message LDAP binding not successful in your log messages, there is likely either an error in your Active Directory server settings, or an error in the Active Directory user account information.

Policy Manager Active Directory Authentication Server Settings

When a user authenticates, Fireware sends two Bind requests to the Active Directory server: one at the start of the authentication process and one at the end. The first Bind establishes permission to access the directory service. The second Bind verifies the user credentials in the directory. If the first Bind fails, the second Bind does not occur.

If you add credentials in the DN of Searching User and Password of Searching User text boxes, Fireware uses these credentials for the first Bind to establish permission to access the directory service. These text boxes are optional.

If these text boxes are empty, Fireware sends the first Bind request with the user principal name (UPN) form of the user name, which is usually the same as the user's email address. To construct the user's UPN, Fireware puts these values together in one string:

  • The username used to authenticate
  • The @ sign
  • The values of all DC=[blank] components used for the Search Base when you configure the Active Directory Primary Server Settings

For example, if the Search Base is OU=salespeople,OU=corp,OU=seattle,DC=seattle,DC=mywatchguard,DC=com and the user tries to authenticate with the username bsmith, Fireware attempts the first Bind with the username [email protected].

If the Search Base text boxes contain values, Fireware uses them for the first Bind. For the Bind to be successful, the full and correct Distinguished Name (DN) or Searching User UPN must appear in the DN of Searching User text box. If the values are incomplete or incorrect, the Bind request fails and you see the LDAP binding not successful message in your log files.

If you receive this error, look at your Active Directory server settings and make sure you have configured the Search Base and DN of Searching User text boxes correctly.

If the Searching User text boxes are empty:

  • Did the user type the correct credentials in the authentication text boxes?
  • Are the domain components of the Search Base correct?
  • Does the user account have Read access to the directory service?
    Read access is the default user setting.

If the Searching User text boxes contain values:

  • Is the value in the DN of Searching User text box a full Distinguished Name rather than just a user name?
    Is the Distinguished Name value correct?
  • Is the value in the Password of Searching User text box correct?
  • Does the user account have Read access to the directory service?

    Read access is the default user setting.

For more information and specific steps to configure settings for your Active Directory server, see Configure Active Directory Authentication.

Active Directory User Account Settings

When you define user account settings in Active Directory, you can specify the computers (by computer name) that a user can log on to. By default, there are no such restrictions on a user account. If you set this limitation, LDAP Bind requests for the user account do not succeed, even from a listed computer, and you receive the LDAP binding not successful message.

To resolve this issue, add the netBIOS name for the Active Directory server to the list of computers the user account can log on to.

This does not give the user permission to log on locally on the Domain Controller. Normal users are not allowed to log on locally to a domain controller.