Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The LDAP connection may stop responding and ADC event ID 8341 may be logged when your computer initiates an LDAP session to a computer that is running Exchange Server 5.5


View products that this article applies to.

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry

↑ Back to the top


Symptoms

When you use a Microsoft Windows implementation of the Lightweight Directory Access Protocol (wLDAP) client to connect to a Microsoft Exchange Server 5.5 computer, the session may stop responding. For example, the session may stop responding when you use the Ldp.exe tool to bind to the Exchange Server 5.5 computer.

If you are running Exchange in a mixed-mode environment, the Active Directory Connector (ADC) may not replicate information to the Exchange Server 5.5 directory. In this scenario, the following event may be logged in the application event log of the computer that is running the ADC:

Event Type: Error
Event Source: MSADC
Event ID: 8341
Description:
ADC cannot replicate to Exchange 5.5. because, on this server, LDAP Client Integrity is set to '2' (always sign.) Exchange 5.5 does not support LDAP signing. To allow this server to connect to 5.5., set the registry key registry_subkey to 0 (never sign) or 1 (sign if possible) value

↑ Back to the top


Cause

This issue may occur if the following conditions are true:
The computer that initiates the LDAP connection to the Exchange Server 5.5 computer is running Microsoft Windows 2000 Service Pack 3 or a later version of Microsoft Windows.
The LdapClientIntegrity registry entry on the computer that initiates the LDAP connection is set to a value of 2. A value of 2 indicates that LDAP signing and sealing is "always on."
Exchange Server 5.5 does not support LDAP signing. Therefore, the LDAP connection fails when it tries to negotiate a signed session with the Exchange Server 5.5 computer.

↑ Back to the top


Resolution

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, change the value of the LdapClientIntegrity registry entry on the computer that initiates the LDAP connection. You can configure the value of the LdapClientIntegrity registry entry so that LDAP either never signs or signs if requested. To do this, follow these steps:
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap
Note If the subkey does not exist, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
b. On the Edit menu, point to New, and then click Key.
c. Type ldap as the subkey name, and then press ENTER.
d. Right-click ldap, point to New, and then click DWORD Value.
e. Type LdapClientIntegrity as the entry name, and then press ENTER.
3. In the right pane, right-click LdapClientIntegrity, and then click Modify.
4.In theValue data box, type one of the following values:
Type 0 if you do not want LDAP to use signing.
Type 1 if you want LDAP to automatically use signing against supported servers but to permit fallback to a non-signed session if you cannot establish signing.
5.Quit Registry Editor.
6.Restart the computer.

↑ Back to the top


More information

LDAP signing and sealing is supported in Windows 2000 Service Pack 3 and in later versions of Microsoft Windows. For more information about LDAP signing, click the following article number to view the article in the Microsoft Knowledge Base:
811422 LDAP signing changes for Active Directory administrative tools in Windows 2000 Server Service Pack 4

↑ Back to the top


Keywords: KB870709, kbtshoot, kbprb

↑ Back to the top

Article Info
Article ID : 870709
Revision : 6
Created on : 10/27/2006
Published on : 10/27/2006
Exists online : False
Views : 386