Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: Error — "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"

  • Updated

Description: When configuring Access Server to authenticate against Active Directory (AD) using LDAP in Windows Server AD 2025, you might find the LDAP authentication module not starting or failing due to an error and the following message on the Access Server logs:

2025-03-24T18:48:18+0000 [stdout#info] AUTH_LDAP: is_service_alive caught exception LDAPStrongerAuthRequiredResult - 8 - strongerAuthRequired - None - 00002028: LdapErr: DSID-0C090347, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v65f4 - bindResponse - None

This message indicates that the LDAP server requires secure authentication—specifically LDAP signing—which isn't currently enforced on the connection to Access Server.

Cause: Microsoft enforces LDAP signing by default in Windows Server AD 2025 (see: Windows Server AD 2025 enables LDAP Signing by default). If SSL/TLS (LDAPS)isn't enabled on your Access Server's connection to AD, authentication attempts may fail due to this policy.

You may encounter this issue when running Windows Server 2025 on the Domain Controller/s that host the Active Directory services used for LDAP authentication or when migrating your AD infrastructure from previous versions to Windows Server 2025.

Resolution

Option 1: Enable LDAPS (Recommended)

To meet Microsoft's security requirements and maintain LDAP signing, configure LDAP over SSL (LDAPS) in your environment.

Follow the steps under "Optional: Enable SSL over the connection" in our tutorial: Tutorial: Set Up Access Server with Active Directory via LDAP for VPN Integration.

This ensures secure communication between Access Server and your AD environment while complying with Windows Server 2025's LDAP security policy.

Option 2: Disable LDAP signing

If LDAPS isn't feasible in your environment, you can disable the LDAP signing requirement on your Domain Controller. This allows insecure LDAP binds, which may expose security risks.

To disable LDAP signing:

  1. Select Start > Run, type mmc.exe, and then select OK.
  2. Go to File > Add/Remove Snap-in.
  3. Select Group Policy Management Editor, and click Add.
  4. Choose Group Policy Object > Browse.
  5. In the Browse for a Group Policy Object dialog box, select Default Domain Controller Policy under the Domains, OUs, and linked Group Policy Objects area, and then select OK.
  6. Click Finish, then OK.
  7. Select Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies, and then select Security Options.
  8. Right-click Domain controller: LDAP server signing requirements, and click Properties.
  9. In the Domain controller: LDAP server signing requirements Properties dialog box:
    • Enable Define this policy setting.
    • Set it to 'None' in the Define this policy setting list
    • Click Apply, then OK.
  10. Restart the server to ensure that changes take effect.

If you have additional questions, please submit a ticket.

Comments

0 comments

Please sign in to leave a comment.