"Error enabling StartTLS encryption with server" when using LDAP authentication in Empower 3 FR5 - WKB76455

SYMPTOMS

• The following error messages appear when logging in to or testing the LDAP connection parameters in Empower:
  • Error enabling StartTLS encryption with server ldap-server
  • Connection to LDAP server 'ldap-server' on port 636 failed.
    Server is not willing to handle directory requests.

ENVIRONMENT

• Empower 3 Feature Release 5
• LDAP authentication

CAUSE

The LDAP connection parameters specify 636 for the connection port. Empower 3 FR5 now implements StartTLS for secure LDAP connections. Port 389 is used for both encrypted and non-encrypted connections to LDAP.

FIX or WORKAROUND

Change the LDAP connection port in Empower to 389.

ADDITIONAL INFORMATION

See also: WKB59312 for the equivalent error in NuGenesis 9

In Empower 3 FR5, secure LDAP authentication requests were altered to use StartTLS. Prior versions of Empower leveraged LDAPS for secure LDAP authentication requests.This change is documented in the Empower 3 FR5 release notes. Refer to the release notes for FR5 for more information.

Empower sends a "starttls" command to the LDAP server as the first request after establishing a TCP connection with the server. This command starts the SSL/TLS handshaking protocol over port 389. After Empower and the LDAP server agree on the TLS parameters, the LDAP data is sent encrypted over this same port.