Skip to main content
Waters Employee Login
 
Waters

Slow performance or NG14837 errors occur when logging in to NuGenesis SDMS with LDAP accounts - WKB64200

  1. Last updated
  2. Save as PDF
Article number: 64200

SYMPTOMS

  • Delays of roughly 20 seconds are seen when users log in to NuGenesis SDMS client applications, such as WebVision or UNIFY, with LDAP credentials

ENVIRONMENT

  • NuGenesis 9 SDMS
  • NuGenesis 8 SDMS
  • Microsoft Active Directory
  • The Base DN setting in the SDMS LDAP configuration is the root of the directory; for example, DC=domain,DC=com

CAUSE

The LDAP server includes three or more referrals in the search results for all queries against the root directory object. When SDMS follows these referrals, it gets an IP address from DNS for a server that either is:

  • not an Active Directory server (not listening on ports 389/636)
  • or is an AD server behind a firewall and not accessible to the NuGenesis servers
  • or is an AD server configured to disallow the connection type selected in the SDMS configuration

FIX or WORKAROUND

  1. If possible, set the base DN in the SDMS configuration to one level down from the root directory object; for example, ou=Users,dc=domain,dc=com rather than dc=domain,dc=com. Active Directory does not include the referrals in the search results when the query begins below the root object.
    • This workaround may not be possible given the existing user structure in your AD server. For example, if the first level is OU=SiteName and users from all sites are expected to use SDMS, this workaround is not practical
  2. Use the Global Catalog port (3268 for cleartext or startTLS connections, or 3269 for LDAP over SSL connections) instead of the standard LDAP ports.  The Global Catalog does not include referrals in it's query results
  3. Modify the hosts file on the NuGenesis web server so that it has entries for ForestDnsZones.yourdomain.com, DomainDnsZones.yourdomain.com, and yourdomain.com that point to a valid and accessible LDAP server.

ADDITIONAL INFORMATION

NG14837 "Invalid username/password" messages may appear if the server contacted through the LDAP continuation reference requires SSL/TLS security while the main server is unencrypted LDAP.  The server reached through the reference returns the message "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection".  This message results in the NG14837 error in SDMS.

Not able to find a solution? Click here to request help.