Windows Proxy Error 5061 - Could not contact Domain Controller

Document ID : KB000044708
Last Modified Date : 23/01/2019
Show Technical Document Details
Issue:

Error 5061 is produced by the Windows Proxy target connector and has the corresponding error message "Could not contact domain controller." Internally this error is known as ERROR_COULD_NOT_RETRIEVE_DC. This particular error arises during either of the following two operations: (1) verifying credentials; (2) updating credentials (which may also incur a verify as part of the update).

 

 

Environment:
Password Authority 4.5.3
 
Cause:
The connector must identify and contact a Domain Controller to accomplish either operation. Depending on the connector's configuration the Domain Controller may be identified by (1) the Target Server; (2) a DNS query; (3) a list of "specified servers," i.e. Domain Controller addresses. The error only ever arises in the cases of (2) and (3). In the case of (1) the code assumes connectivity. In the case of (2) and (3) the connector determines connectivity by performing a "ping" operation on each Domain Controller that was identified. The connector chooses the first Domain Controller that it's able to successfully ping.

To accomplish the ping the connector first attempts a simple anonymous bind to the LDAP Directory Service Agent (DSA) on default port 389. If that attempt fails the connector then attempts a simple anonymous bind on default SSL port 636. If either attempt succeeds then the connectivity is confirmed; otherwise, Error 5061 (ERROR_COULD_NOT_RETRIEVE_DC) results.
 
Resolution:

Confirm the ability to perform simple anonymous binds from the Password Authority Server to the Domain Controller's default LDAP DSA ports 389 and 636. If "specified servers" has been configured then confirm network connectivity to said servers. If instead configured to use a DNS query then confirm the ability to query the configured DNS server and also confirm that the list of Domain Controllers returned by the DNS server is valid.  The connector has debugging available to assist with troubleshooting the DNS query.

Additional Information:
The Windows Proxy connector uses legacy-style debug logging. To activate logging create the subdirectory $CSPM_SERVER_HOME/cspmserver/config/targetapplications and then create a file at that location called "windows.properties". Edit the file to include a single line of text as follows: "debug=true".   Also set the tomcat loglevel to INFO in $CSPM_SERVER_HOME/cspmserver/config/systemConfiguration.properties. Restart Password Authority (Tomcat) and then observe debug messages emitted into the Tomcat (catalina.out) log file on UNIX, or stdout on Windows.