NS8 Mail AD Auth failing

Support
,
21

I decided to bypass some of the speculation and installed Wireshark on the DC and captured the LDAP traffic both when I perform and normal domain users and groups display on NS8 (successful) and when I retrieve User mailboxes on NS8 (fails). Here is a snippet of messages for the failing situation:

No.     Time           Source                Destination           Protocol Length Info
    126 32.371949      192.168.1.38          192.168.1.2           LDAP     80     bindRequest(6) "<ROOT>" simple 
No.     Time           Source                Destination           Protocol Length Info
    127 32.372112      192.168.1.2           192.168.1.38          LDAP     88     bindResponse(6) success 
No.     Time           Source                Destination           Protocol Length Info
    129 32.372418      192.168.1.38          192.168.1.2           LDAP     286    searchRequest(5) "DC=DomainDnsZones,DC=burnsville,DC=local" wholeSubtree 
No.     Time           Source                Destination           Protocol Length Info
    130 32.372482      192.168.1.38          192.168.1.2           LDAP     286    searchRequest(3) "DC=ForestDnsZones,DC=burnsville,DC=local" wholeSubtree 
No.     Time           Source                Destination           Protocol Length Info
    131 32.372503      192.168.1.2           192.168.1.38          LDAP     240    searchResDone(5) operationsError (000004DC: LdapErr: DSID-0C09091F, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580)  [0 results]
No.     Time           Source                Destination           Protocol Length Info
    132 32.372605      192.168.1.2           192.168.1.38          LDAP     240    searchResDone(3) operationsError (000004DC: LdapErr: DSID-0C09091F, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580)  [0 results]

I’m not sure where the missing bind is, but that seems to be why nothing is being returned.

1 Like
22

I found some threads where changing the port in the LDAP connection from 389 to 636 TLS or 3268/3269 TLS helped, for example In order to perform this operation a successful bind must be completed on the connection · Issue #108 · flamencist/ldap4net · GitHub

23

Ladies and Gentlemen, we have a WINNER!

I changed the port from 389 to 3268, TLS OFF and TLS Verify OFF, and it now works! I may finally be ready to really migrate from NS7 to NS8.

1 Like
24

From Microsoft’s website regarding Ports:
[MS-ADTS]: Ports | Microsoft Learn

An AD DS DC accepts LDAP connections on the standard LDAP and LDAPS (LDAP over SSL/TLS) ports: 389 and 636. If the AD DS DC is a GC server, it also accepts LDAP connections for GC access on port 3268 and LDAPS connections for GC access on port 3269.

An AD LDS DC accepts LDAP and LDAPS connections on ports that are configured when creating the DC.
1 Like