VMware Workspace ONE Community
jeremym
Enthusiast
Enthusiast
‎07-02-2013 10:01 AM

Workspace cannot bind to AD (exact errors and what I did so far inside)

My error when running the web-based wizard is: "Error saving directory configuration. Error occurred while retrieving the user with provided bindDN.Could not retrieve username for the bind DN user."

I've read others' threads before posting.

Here's what I have done:

1. I'm using built-in AD Administrator account.

2. The account's DN is: CN=Administrator,CN=Users,DC=fabrikam,DC=com

3. The account has:

     a. Firstname

     b. Lastname and

     c. Email (see screenshot) ... (this was other people's problem in some threads. I've ensured my named account has these attributes.)

4. My DC is also a GC.

Things I have tried, some of which you cannot see in the screenshot: http://screencast.com/t/yRMqbOynDu

0. From the DC, I can ping connector-va.fabrikam.com no problem.

1. I've tried changing the port FROM 389 to 3268. That didn't work.

2. I've tried changing the Search Attribute from sAMAccountName to UserPrincipal. That didn't work.

(So I tried all combos of 389/3268 and Samaccountname / UserPrincipal -- that's four different things, actually.. all tried.)

3. I've tried a different named account (other than administrator). That didn't work.

4. I've tried a different named account in a different OU / DN. That didn't work.

Poking around before posting I also went to the connector's log files and see the exact error: http://screencast.com/t/nr8rifG0GV

(To intpret the error I went here: http://www-01.ibm.com/support/docview.wss?uid=swg21290631 )

which says that my error is "52e - invalid credentials" )

I can attest they're not invalid credentials.

I'm stuck.

Open to suggestions. Thanks in advance.

Tags (1)
0 Kudos
2 Replies
sravuri
VMware Employee
VMware Employee
‎07-02-2013 10:18 AM

Please check your BaseDN. The BindDN user should be in the sub-tree under BaseDN. I am not sure if that is true in your case. Your BaseDN points to Sales OU. But, your BindDN user seems to be in Users OU.

For initial test, can you change the BaseDN to be DC=fabrikam, DC=com? Then, go back to samAccountName

0 Kudos
jeremym
Enthusiast
Enthusiast
‎07-02-2013 10:41 AM

For the love of all that is holy. That worked!!

To be honest: That makes zero sense to me.

I've used cross LDAP lookups which dont care about this.

For future astronauts reading this.. here is what I did exactly:

1. I have ONE DC in my test lab, it's a GC. So it's listening on port 3268 (MS's GC port.)

2. Search attribute was set to userPrincipalName

3. Base DN is OU=Sales,DC=fabrikam,DC=com

4. Bind DN is a user inside sales, so.. CN=workspace admin,OU=sales,DC=fabrikam,DC=com (all lower case seemed to work; mix of upper / lower did not). NO quotes around it.

5. That user has First, Last, and email fields put in.

And.. 3 hours later.. and a very helpful answer from sravuri .. it worked !

Thanks again sravuri !

EDIT:

I went back and changed UserPrincipalName (old way) to SamAccountName.. and this is better, since this is already populated in all my accounts.

0 Kudos