This error can occur when you specify a NETBIOS domain name but the Base DN to search is not set to the root of your domain LDAP tree (i.e. dc=my,dc=domain,dc=com).

This happens because FlexAuth is trying to determine the distinguished name of your domain, so that it can properly search for the user object. To accomplish this, it needs to find Active Directory's "Configuration Container" which stores the mapping from NETBIOS names to distinguished names for domains.

Also, if your LDAP server is not an AD global catalog server (or an AD server at all) then the configuration container won't exist.

  • In most cases this problem can be resolved by adjusting the Base DN path to be the root domain space of your AD domain.
  • If you are authenticating against a non-AD LDAP server, make sure you do not specify any NETBIOS domain in the FlexAuth realm settings.
  • In one case support observed an AD LDAP server that was (for some reason) not responding to search requests for its configuration container, even with the correct base DN. Since it was a single domain, removing the NETBIOS domain in the FlexAuth realm allowed the search to work, as FlexAuth then treated the LDAP search as if it was a non-AD server. This workaround means that the credentials forwarded to the upstream web server cannot have the domain name prepended. This may be acceptable if the upstream servers are configured to use the correct default domain setting.