SSPR 5016 ERROR_CANT_MATCH_USER

  • 7018363
  • 06-Dec-2016
  • 06-Dec-2016

Environment

NetIQ Self Service Password Reset (SSPR)
Active Directory (AD)
LDAP/LDAPS

Situation

  • ERROR, auth.SessionAuthenticator, {129} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=xx, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: mydomain.com:636, cause:java.net.SocketException: Connection reset) [xx.xx.xx.xx]
  • Intermittently unable to log in to SSPR

Resolution

Ensure that all AD Domain Controllers are configured to use LDAP and are accessible to SSPR.

Cause

AD uses referrals and so when SSPR does a search, a list of LDAP servers is returned.  SSPR will then attempt to use one or more of those servers.  If a server it is trying to access does not have LDAP configured, has an invalid certificate or is otherwise inaccessible, a 5016 ERROR_CANT_MATCH_USER error will be returned.

Additional Information

A network (e.g. Wireshark, tcpdump) trace shows the server responds to a query such as

standard DNS query myserver.mydomain.com

With multiple servers.  

DNS requests of the form

standard DNS query ForestDnsZones.mydomain.com
standard DNS query DomainDnsZones.mydomain.com

and the servers listed in the responses to these requests will also need to be accessible.

Turning off referrals in SSPR [Configuration Editor -> LDAP -> LDAP Settings -> Global -> Follow LDAP Referrals] may work if AD itself is set up not to need them (all objects and OUs are available on one server) but if this is not the case then AD may then return a Not Found error.

Currently [December 2016] manually editing /etc/hosts will not work as this file is ignored by SSPR.  This has been reported to Engineering.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.