Last Updated: Aug 6, 2024
Overview
Every few minutes, an error is seen in the tenant logs for the AD/LDAP connection with the description:
Wrong attempt to update ad connector thumbprints.
{
...
"date": "*****",
"type": "fcpro",
"description": "Wrong attempt to update ad connector thumbprints.",
"connection_id": "",
"client_id": "****",
"ip": "****",
"details": {
"details": "You have already used this ticket (********) with an agent that is currently running on another machine. To solve this, create a **NEW** connection with a new ticket and use that one instead. You can uninstall the other agent."
},
"hostname": "*******",
...
}
When running a test with the Auth0 connector the first time, it ran without an error. All subsequent runs produce this error:
“08:23:22 - error: × Connection to LDAP failed.
08:23:22 - error: > Error: 00002024: LdapErr: DSID-0C060810, comment: No other operations may be performed on the connection while a bind is outstanding., data 0, v3839”
However, the system seems to be working. This article details what those errors are and how to get rid of them.
Applies To
- AD/LDAP connection
- Errors
Cause
There are a few issues that arise when there’s a mismatch between the connector’s certificate and what was already stored in the connection (on Auth0’s side). They are usually caused by an attempt to reuse a ticket URL (i.e., pointing a connector to a connection to which the handshake was already established).
This might be seen in the connector logs:
[2019-04-23 18:29:45] Loading settings from ticket: https://{auth0_domain}/p/ad/*****/info
[2019-04-23 18:29:47] Local settings updated.
[2019-04-23 18:29:47] Generating a self-signed certificate.
[2019-04-23 18:29:52] Certificate generated.
[2019-04-23 18:29:52] Configuring connection {connection_name}.
[2019-04-23 18:29:52] > Posting certificates and signInEndpoint: http://C02W5779HTD5:4000/wsfed
[2019-04-23 18:30:53] Unexpected status while configuring connection: 504
[2019-04-23 18:30:53] <html>
<head><title>504 Gateway Time-out</title></head>
<body bgcolor="white">
<center><h1>504 Gateway Time-out</h1></center>
</body>
</html>
This is when the server detects a certificate mismatch between what the connector is sending on startup and what’s stored in the connection. The server forces a 60-second delay in the response to prevent flooding, but the gateway is probably getting in the middle, causing a 504 timeout error instead.
This error will be coupled by a tenant log looking like the one shown in the Problem Description above.
Solution
The solution for this problem is to either create a new connection (and update the connector’s config.json with the new PROVISIONING_TICKET), or remove the options.certs and
options.thumbprints
values from the connection using Management API v2.
Another solution is to manually copy the files below from the primary active server (where the export was taken) to the target standby server (certs folder and the lib\profileMapper.js file from the %Program Files(x86)%\Auth0\AD LDAP Connector\ ).
Then restart the two LDAP services on the standby server.