LDAP error code 8 for some users but not others

Question

I have a some problems.

Listed Error:

LDAP error code 8

Server log:

javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 ]

Problem action(?):

• client to login request to server. and server send request to LDAP. Some people can login successfully, but for other some people login failed:

  LDAP response error code 8

Server log shows:

[javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 ]]

But I am using LDAP, not LDAPS.

• Some people said check under KRDOM01 : HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ NTDS \ Parameters \ LDAPServerIntegrity = 1

but my setting is already LDAPServerIntegrity = 1

My code:

Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://"+host+":"+port);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, pwd);

Why can some people login OK, but some people got fail?

Answer 1

These errors indicate your LDAP server is set to Require Signing.

If you connect using SSL, then the data signing is not required.4

If you were able to make an successful bind, then I would "guess" the server you first connected to does NOT have signing enabled and you are being referred to a Domain Controller that has signing enabled.

See: https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-login-fails-with-ldaperr-dsid-0c0901fc