47882: MassTransit LDAP Account Errors

use Google Translate

Applies to: 

Last update: 06-04-2016

MassTransit can be configured to auto-provision Web Client accounts by integrating with Active Directory

On occasion MassTransit will be unable to create these accounts. This is usually due to a misconfiguration within the MassTransitEngine.cfg file.

  • Failed to automatically create contact   -  If you see errors like this  - “Failed to automatically create contact '' (GUID: 4F1EF1CD-1DDB-AB45-B2E7-ED584B0B1457) [error code: 3145734]”  this is usually because the search base setting in the MassTransitEngine.cfg file in the Directory Services section does not contain the OU in which the user resides – You will need to search AD for that GUID and determine where they are and add the OU to the LDAP_SEARCH_BASE setting in the MasTransitEngine.cfg file.   You can use Microsoft’s built in tool, ldp.exe, to search for the GUID. See Using ldp.exe to Search for a MassTransit User’s GUID.
  • Directory Services Initialization Failed – Server Down – this happens when MassTransit cannot reach the LDAP server for some reason – port blocked, wrong IP, etc.  Check to make sure the LDAP_SERVER_ADDRESS,  LDAP_SERVER_PORT and LDAP_USE_SECURE_CONNECTION are defined correctly in the MassTransitEngine.cfg file and that the necessary ports are open between MassTransit and the abovementioned server.
  • Directory Services Initialization Failed – Invalid Credentials – this happens when the credentials used to bind to Active Directory are invalid.  Sometimes this is due to us coming in on the wrong port, for example, port 389 when we should be on 636 instead.  Check to make sure that  the LDAP_BIND_DN and LDAP_BIND_PASSWORD settings in the MassTransitEngine.cfg file are correct and are able to bind to AD.  If the MassTransit server is bound to the domain, you do not need to enter credentials.  If the bind username and password are not in the same domain as the PRIMARY_DOMAIN setting then you will also need to configure the LDAP_BIND_DOMAIN setting.

MML / MDL Group fails to initialize. - This usually occurs when the LDAP_SEARCH_BASE  does not contain the MML or MDL group, or there is a typo – missing comma, misspelling, etc.   The LDAP_MML_GROUPS and LDAP_MDL_GROUPs settings in the MassTransitEngine.cfg file require the distinguished name of the group to be specified.  

The following is an example of a properly configured setting:

  • LDAP_MML_GROUPS=CN=MyGroup,OU=MyOU,DC=domain,DC=com

You may specify more than one group by separating them with semi-colons (;), for example:

  • LDAP_MML_GROUPS=CN=MyGroup,OU=MyOU,DC=domain,DC=com;CN=MyOtherGroup,OU=MyOU,DC=domain,DC=com

The following are examples of improperly configured settings:

  • LDAP_MML_GROUPS=CN=MyGroup,OU=MyOU 
  • LDAP_MML_GROUPS=CN=MyGroup,OU=MyOU;CN=MyOtherGroup,OU=MyOU
  • LDAP_MML_GROUPS=CN=MyGroup,OU=MyOU,DC=domain,DC=com:CN=MyOtherGroup,OU=MyOU,DC=domain,DC=com
  • LDAP_MML_GROUPS=CN=MyGroup,OU=MyOU,DC=domain,DC=com,CN=MyOtherGroup,OU=MyOU,DC=domain,DC=com