Directory Synchronization - Troubleshooting LDAP Directory Integration

This article outlines the possible causes and resolutions for LDAP directory Integration failures.

Mimecast monitors the directory integrations to all of our customers, to ensure that the synchronization process is running smoothly. There are certain instances where the synchronization process fails resulting in end-user logons failing and permission issues. Prompt resolution of directory synchronization issues ensures that users can continue to log on successfully.

When attempting to resolve a directory integration issue, you should always initially confirm whether any changes have been made to the infrastructure or devices, or if there are any known issues that may prevent successful integration.

Testing an Integration

To test an integration:

1. Log in to the Mimecast Administration Console.
2. Navigate to Users & Groups | Directory Synchronization.
3. Select an existing Directory Sync.
4. Click on the Test Connection tab.

An automatic test will run, identifying the failed areas.

Active Directory Credential Failure

Directory synchronization requires a user account in the customer infrastructure in order to log on during the synchronization process. These account details are configured in the Administration Console. If these credentials do not match, the authentication fails, and Mimecast is unable to log on and synchronize the directory.

Once you have confirmed that no infrastructure or device changes have been made, consider the following:

• Has the Active Directory account been moved or deleted?
• Has the password for the Active Directory account been modified or reset?
• Is the Active Directory account still active and not expired, or locked out?

Directory Integration Failure

If Mimecast cannot connect with your organization's environment using LDAP(S), the connection to the IP address that has been specified for the directory integration fails. As a result, Mimecast will be unable to synchronize with the directory server.

Once you have confirmed that no infrastructure or device changes have been made, consider the following:

• Are there any connection issues that have arisen at your infrastructure?
• Have any changes been made recently to your firewall?
• Have you ensured that you allow connections to the appropriate port from the entire Mimecast regional IP Ranges and have mapped them through to the correct destination?
• Is the LDAP service currently running on your directory server?

Character Requirements

If you have special character attribute requirements in your directory structure, it is necessary to escape those characters. This is achieved by prefixing them with a backslash "\" in the attribute string. If an attribute value contains other reserved characters (e.g.,) equals sign (=), non-UTF-8 characters), they must be encoded in hexadecimal by replacing the character with a backslash followed by two hex digits.

An example of this symptom is:

• Common Name String containing an illegal character: 

CN=Documents,OU=Docs/KB,DC=Mimecast,DC=COM

• Common Name String escaped and encoded to hexadecimal replacing the illegal character:

CN=Documents,OU=Docs\2FKB,DC=Mimecast,DC=COM

Active Directory Synchronization Failures

If your AD synchronization service starts failing, even though it has been working well for some time, check the service accounts, firewall logs, and certificate path/validity. If they look OK, try the following:

1. Check that your NTDS\Personal Store holds a valid Certificate Authority certificate.

   In most cases, this CA certificate will be the only certificate within the NTDS/Personal store.

2. When you double-click on this certificate, Windows should mention, “You have a private key that corresponds to this certificate”.
3. Remove this CA certificate from the Local Computer Personal store.
4. Re-Install this CA certificate in the NTDS\Personal store.