Version Affected: All
Description:
When using Active Directory as a Datastore, if the domain name doesn't match the domain that the IdP is joined to, SecureAuth performs a SRV lookup for your connection string. This can result in attempts to connect to DCs that are located on suboptimal network paths
Cause:
SRV lookup for all LDAP servers at that FQDN without specifying a site means that you can connect to any server in your AD.
Resolution:
Modify the Connection String to make SecureAuth connect to a local DC based on the site you specify. As long as there are multiple DCs in that site, you'll still have failover.
1. Open the SecureAuth admin console
2. Modify the Datastore Connection string.
For example if your connection string is currently
LDAP://example.com/DC=example,DC=Com
and you wanted to connect to DCs in your site called "wood" the connection string becomes
LDAP://wood._sites.example.com/DC=example,DC=Com
3. Save these changes and test the connection.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.