basic message is below…trying to upgrade an older 2X version to 5_7… AD is behind a F5…
2022-06-27T13:05:21.747217-0400 [duoauthproxy.lib.log#info] Initial LDAP bind to AD failed: ‘unwillingToPerform: 00002029: LdapErr: DSID-0C090549, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v2580\x00’
Hi @bostonmacosx, if I understand you correctly, you are upgrading your Duo Authentication Proxy but having some trouble with binding to Active Directory. Was this configuration previously working for you prior to upgrading? I ask because upgrading the Auth Proxy should not change your configuration at all.
Based on the error message you’ve shared here, Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, it seems the issue is with Sign and Seal. Are you using
[ldap_server_auto]? If so, Sign and Seal is not supported in that case. Duo Authentication proxy 5.0.0 and later does support Sign and Seal for the connection from the Duo proxy to an upstream Active Directory domain for primary authentication via
[ad_client] when the authentication type is NTLMv2 or SSPI, and the transport type is CLEAR.
Some possible solutions:
- Configure SSL between your application and the Authentication Proxy.
- If possible, disable Sign and Seal for your application.
If that’s not helpful, I would recommend taking this to our Duo Support team for further troubleshooting. They will be able to look at your exact configuration and identify any issues. Thanks!