Problem: EMM AD integration fails and you have already verified the instructions here.
- C:\Kaseya\Logs\Services\directory-webservice.log has following entry:
ERROR [2015-03-09 22:56:52,649] com.kaseya.directory.web.exception.mapper.InvalidCredentialsExceptionMapper: Received invalid credentials
! com.unboundid.ldap.sdk.LDAPException: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
! at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2178) ~[kaseya-directory-integration.jar:na]
! at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2095) ~[kaseya-directory-integration.jar:na]
! at com.kaseya.directory.core.connection.ConnectionTarget.<init>(ConnectionTarget.java:62) ~[kaseya-directory-integration.jar:na]
! ... 55 common frames omitted
! Causing: com.kaseya.directory.core.exceptions.InvalidCredentialsException: Invalid bind credentials received.
Cause: The login detail you are using in Kaseya's Mobility has an unsupported LDAP user format i.e domain/username or just username (without domain part) or the domain part you have specified is not being accepted. Notice the "data 52e" part in the error message, this simply means its the credential issue. So this error message could also mean the credential you have provided is incorrect
Solution:
1. Please make sure you are using the correct format of domain part. You can do a simple test in ldp.exe where you can bind using your format and verify what format ldp.exe changes it to. The resulting format is the format you will need to use.
For example in below screenshot, two attempts of connection with bind credential ktest.local\xxx and ktest-ad.ktest.local\xxx were made.Although both are correct it does not necessarily mean ldap will accept those formats. Therefore ldp.exe changes it automatically to appropriate format and in this case KTEST\Administrator. This is the format and domain part you will need to use in Kaseya EMM:
2. You can also test with the Apache Directory Studio test: https://kaseya.zendesk.com/entries/90977547
If your format is incorrect or if the credential is incorrect you will receive an error message like this "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1"
In order to find out what is wrong, you will need to however use ldp.exe
Here are some more error codes you may see in the data xxx part
525:user not found
52e:invalid credentials
530:not permitted to logon at this time
531:not permitted to logon at this workstation
532:password expired (remember to check the user set in osuser.xml also)
533:account disabled
534:The user has not been granted the requested logon type at this machine
701:account expired
773:user must reset password
775:user account locked
Applies to: VSA 9.0 - 9.4.