Problem: On-boarding Customers in EMM fails due to Active Directory Integration Issue.
Kaseya Directory Integration Service log available at C:\Kaseya\Logs\Services\directory-webservice.log of Kaseya Server will have an entry like shown below:
ERROR [2015-02-24 03:21:06,647] com.kaseya.directory.core.exceptions.LdapBindFailureException: Bind failed to the LDAP server.
! java.io.IOException: An error occurred while attempting to establish a connection to server /10.20.52.156:389: java.net.ConnectException: Connection timed out: connect
! at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:158) ~[kaseya-directory-integration.jar:na]
! at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:859) ~[kaseya-directory-integration.jar:na]
! ... 61 common frames omitted
Cause: Enterprise Mobility Management requires the Active Directory server be open to an inbound read-only connection (secure LDAP port recommended) from a single whitelisted IP address. The AD is never open to the entire internet.
Resolution:
1. Please make sure the basic requirements have been checked:
- https://help.kaseya.com/WebHelp/EN/Mobility/9040000/index.asp#30974.htm
- https://helpdesk.kaseya.com/hc/en-gb/articles/229041108-EMM-Basic-Requirements
Ensure that the configuration on the Active Directory has been sorted out as per our help file:
Note: You need to create three active directory security groups. You will also add your AD users to these groups.
2. If you are reading this article, most likely you have configured everything as per this above help file. Please do note all the necessary information. This information is required to connect to any instance of Active Directory you intend to associate with an organization within Enterprise Mobility Management.
- The domain name or IP address of the Active Directory server.
- The LDAP port used by Active Directory.
- The default LDAP port is 389.
- The base DN (distinguished name) to search for: Example: OU=Kaseya EMM Groups, DC=company, DC=com
- The credential to use to authenticate read access to this distinguished name. A dedicated credential is recommended.
3. You have used these above details but the connection still does not work and shows below error:
Here are the steps you need to take:
Step 1: Please log into your Kaseya Server, open command prompt and run ldp.exe.
To install LDP.EXE on Windows Server 2008, open the Server Manager, and under Roles, install Active Directory Lightweight Directory Services. Please check Microsoft technet for more details.
It is recommended to do this test using Apache Directory Studio as well:
Step 2: Please choose Connection > Connect and provide the details to your AD server. If the connection does not work then there is a connection issue that you will need to troubleshoot:
Step 3: Once connected, please choose to bind (Ctrl+B) or Connection > Bind. Please use the AD credential you noted in point b. This binding should work and authenticate. If it does not then please verify the credential and user details on AD side:
Step 4: Once connected and authenticated, please search the directory by choosing search option from: Browse > Search or Ctrl+S alternatively.
Please search for the distinguished name noted in point b:
OU=Kaseya EMM Groups,DC=company,DC=com
I.e., As shown below in screenshot, your result should show the three security groups created. If this gives you error, the base DN you are specifying is incorrect, please check your AD to verify the distinguished name:
Step 5: If this all passes, then the details you have should work with AD integration in EMM.
If this does not fix the issue, please create a ticket with Kaseya Support via this link. Please add screenshots showing result of each above test, Kaseya Support can then verify if the issue is on the server side or not, as well as logs: C:\Kaseya\Logs\Services\directory-webservice.log
Reference: http://www.lsoft.com/news/techtipLSV-issue2-2014.asp
Applies to: VSA 9.0, 9.1, 9.2, 9.3, 9.4.