"Error enabling StartTLS encryption with server" when using LDAP authentication in Empower 3 FR5 - WKB76455
SYMPTOMS
- The following error messages appear when logging in to or testing the LDAP connection parameters in Empower:
- Error enabling StartTLS encryption with server ldap-server
- Connection to LDAP server 'ldap-server' on port 636 failed.
Server is not willing to handle directory requests.
ENVIRONMENT
- Empower 3 Feature Release 5
- LDAP authentication
CAUSE
The LDAP connection parameters specify 636 for the connection port. Empower 3 FR5 now implements StartTLS for secure LDAP connections. Port 389 is used for both encrypted and non-encrypted connections to LDAP.
FIX or WORKAROUND
Change the LDAP connection port in Empower to 389.
ADDITIONAL INFORMATION
See also: WKB59312 for the equivalent error in NuGenesis 9
In Empower 3 FR5, secure LDAP authentication requests were altered to use StartTLS. Prior versions of Empower leveraged LDAPS for secure LDAP authentication requests.This change is documented in the Empower 3 FR5 release notes. Refer to the release notes for FR5 for more information.
Empower sends a "starttls" command to the LDAP server as the first request after establishing a TCP connection with the server. This command starts the SSL/TLS handshaking protocol over port 389. After Empower and the LDAP server agree on the TLS parameters, the LDAP data is sent encrypted over this same port.
id76455, EMP2LIC, EMP2OPT, EMP2SW, EMP3GC, EMP3LIC, EMP3OPT, EMP3SW, EMPGC, EMPGPC, EMPLIC, EMPOWER2, EMPOWER3, EMPSW, SUP