-
Title
DirSync: Discover Logs Indicate following: The supplied credential is invalid -
Description
The process is unable to read our other subdomains:
In the Discover Logs you will see the following error:
System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid.at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)at CDS.Model.DomainController.Connect(NetworkCredential credentials, Int32 port)at CDS.Model.ActiveDirectory.GetDomainSid(DomainController dc, String rootDn, String userName, String password)at CDS.Model.ActiveDirectory.DiscoverDCs(DomainController gcs, String configNamingContext) -
Cause
Cause 1
The domains may be configured to only accept the legacy NETBIOS user logon format (DOMAIN\User) rather than UserPrincipalName format (user@domain.local).
Cause 2
NTLM authentication is disabled.Cause 3
The LmcompatibilityLevel is not matching between DC and the Agent server
Cause 4
The password for the admin account entered during the DirSync agent install contains special characters
-
Resolution
Resolution 1
Navigate to the ODM Directory Sync Agent server.
Open elevated regedit session.
Navigate to:HKEY_LOCAL_MACHINE\SOFTWARE\Quest\On Demand Migration For Active Directory\ODMAD_DS\UserName
- Double click on UserName key:
- Change the format from UPN to "Domain\ServiceAccount" format
- Navigate to Services
- Restart the On Demand Directory Sync Agent Service
- Navigate to the On Demand Migration UI dashboard and re-run the Discover process. You should now note the error message is no longer present.
Additionally the all domains (to include sub-domains) are read as expected.
Resolution 2
Enable NTLM authentication. If NTLM was disabled via Group Policy, it will need to be allowed in Group Policy. Then it will likely need to be separately enabled using the Local Security Policy on the Domain Controllers.Resolution 3
Even though the credentials are correct, and native tools like LDP are successful connecting to the Domain or Domain Controller, the Error is still thrown,
The authentication method was keeping the credentials from being accepted by the Domain Controller.
The recommendation is to check the NTLM versions in the server and the DirSync Console both versions needs to match.
Please follow Microsoft Documentation
Network security LAN Manager authentication level - Windows 10 | Microsoft Learn
Reg Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmcompatibilityLevel
Resolution 4
Change the admin password for the account used by the DirSync Agent to use US special characters only to test.