Microsoft KB Archive/870709

= The LDAP connection may stop responding and ADC event ID 8341 may be logged when your computer initiates an LDAP session to a computer that is running Exchange Server 5.5 =

Article ID: 870709

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows XP Professional
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

-





Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
When you use a Microsoft Windows implementation of the Lightweight Directory Access Protocol (wLDAP) client to connect to a Microsoft Exchange Server 5.5 computer, the session may stop responding. For example, the session may stop responding when you use the Ldp.exe tool to bind to the Exchange Server 5.5 computer.

If you are running Exchange in a mixed-mode environment, the Active Directory Connector (ADC) may not replicate information to the Exchange Server 5.5 directory. In this scenario, the following event may be logged in the application event log of the computer that is running the ADC: Event Type: Error

Event Source: MSADC

Event ID: 8341

Description:

ADC cannot replicate to Exchange 5.5. because, on this server, LDAP Client Integrity is set to '2' (always sign.) Exchange 5.5 does not support LDAP signing. To allow this server to connect to 5.5., set the registry key  to 0 (never sign) or 1 (sign if possible)



CAUSE
This issue may occur if the following conditions are true:
 * The computer that initiates the LDAP connection to the Exchange Server 5.5 computer is running Microsoft Windows 2000 Service Pack 3 or a later version of Microsoft Windows.
 * The LdapClientIntegrity registry entry on the computer that initiates the LDAP connection is set to a value of 2. A value of 2 indicates that LDAP signing and sealing is &quot;always on.&quot;

Exchange Server 5.5 does not support LDAP signing. Therefore, the LDAP connection fails when it tries to negotiate a signed session with the Exchange Server 5.5 computer.



RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, change the value of the LdapClientIntegrity registry entry on the computer that initiates the LDAP connection. You can configure the value of the LdapClientIntegrity registry entry so that LDAP either never signs or signs if requested. To do this, follow these steps:  Click Start, click Run, type regedit in the Open box, and then click OK. Locate and then click the following registry subkey:

 

Note If the subkey does not exist, follow these steps:  Locate and then click the following registry subkey:

 

 On the Edit menu, point to New, and then click Key. Type ldap as the subkey name, and then press ENTER. Right-click ldap, point to New, and then click DWORD Value.</li> Type LdapClientIntegrity as the entry name, and then press ENTER.</li></ol> </li> In the right pane, right-click LdapClientIntegrity, and then click Modify.</li> In theValue data box, type one of the following values: <ul> Type 0 if you do not want LDAP to use signing.</li> Type 1 if you want LDAP to automatically use signing against supported servers but to permit fallback to a non-signed session if you cannot establish signing.</li></ul> </li> Quit Registry Editor.</li> Restart the computer.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
LDAP signing and sealing is supported in Windows 2000 Service Pack 3 and in later versions of Microsoft Windows. For more information about LDAP signing, click the following article number to view the article in the Microsoft Knowledge Base:

811422 LDAP signing changes for Active Directory administrative tools in Windows 2000 Server Service Pack 4

Keywords: kbprb kbtshoot KB870709

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.