Error Messages

This section contains errors you may see when configuring PortalGuard and how to resolve them.

1) LDAP error: SSL not enabled error

When a user attempts to change their password, the see the following error:

This error occurs because the bootstrap file has not configured the LDAP settings to use SSL. A SSL connection is required by Microsoft Active Directory when changing password via LDAP. In the bootstrap file, be sure to specify an encrypted port for LDAP_Port and set LDAP_UseSSL=1.

2) Unable to reach the authentication server

User logins and password changes result in the following error:

If all attempts to authenticate through PortalGuard result in this error, it most likely means that the connectivity settings in the bootstrap file are not correct. The three settings to check are LDAP_Server, LDAP_Port and LDAP_UseSSL.

Confirm network connectivity between the PortalGuard server and the LDAP server by pinging the value(s) in the LDAP_Server setting. If the ping is successful, ensure LDAP_UseSSL is set to 1 if you are using an encrypted LDAP port (636 by default or 3269 for Active Directory Global Catalog).

Confirm you can connect to the LDAP server using a LDAP browsing utility such as Microsoft’s ldp.exe. If you can connect with SSL from some machines but not others, this is most likely a certificate trust issue. Make sure that the certificate for the LDAP server (or the Certificate Authority that issued it) is trusted on the machine where PortalGuard is running.

On Microsoft Windows platforms, please be aware that each user on a Windows system (including the Local System account) has a separate certificate store. In the case of IIS, you must ensure that the certificate of the LDAP server (or CA) is in the Local Computer certificate store.

You can use the Microsoft Management Console (mmc.exe) to add the Certificates snap-in for the current user and/or Local Computer.

3) An unknown LDAP failure occurred

When a user tries to reset their forgotten password, they see the following error:

In this case, the generic user account specified in the bootstrap file may not have permissions to change other user’s passwords. This can be confirmed by looking for the following error in the PortalGuard log file:

Password change failed - ldap_modify_ext_s() failed with error 50: Insufficient Rights

If you see this and are using Active Directory as the user repository, please follow the steps in Delegating Rights in Active Directory to give your generic user the appropriate rights. If you are using a different LDAP server, please update the generic user account to allow it to update other user’s passwords.