When Troubleshooting issues with ESP where LDAP authentication from the LoadMaster is failing, it is useful to test the LDAP authentication directly on the Domain Controller. This can be done using the LDP application that is already pre-installed on Windows Server.
To launch LDP, click the start button and type LDP.exe. Click on the application. Here is what will be shown once the application is launched:
Click Connection > Connect and input the IP address of the LDAP Server we would like to test authentication against:
Click Connection > BIND and input the same user's credentials as you were trying to authenticate with on the LoadMaster:
At this point, if you select BIND with credentials, you can make a test BIND request using the particular Username, Password and Domain.
Note the responses you should see for successful and unsuccessful BIND requests to LDAP:
The above shows results of both valid and invalid responses. Regarding the negative response, the AD stating is that the credentials are invalid (such as the password being incorrect or the account being locked). This will help rule out if the LoadMaster is the cause of authentication issues or if there is really an issue with the AD/user credentials.
Troubleshooting Permitted Groups
If you are having issues getting permitted groups to work, you can also make use of LDP.exe. Once you have successfully Authenticated navigate to "Browse > Search"
You will then be presented with the following Search Box
Searching For a Permitted Group
Domain = Kemptest.com
User = admin
Group = EP InternetAccess XI
Base DN = DC=kemptest,DC=com
Filter (&(&(memberOf=CN=EP InternetAccess XI,CN=Users,DC=kemptest,DC=com)))
Below you can see 1 Entries, which means my user "Admin" is a member of "EP InternetAccess XI" Group.
If you have multiple Sub Domains where your permitted group resides, it's possible you will have to Bind using port 3268 or Secure 3269.