Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
surfrock66
New Member
New Member
‎05-07-2020 09:45 PM

Inconsistent LDAP bind to AD over SSL from Workcentres?

Operating System: Not Applicable

I have 5 Xerox Workcentre 5955's located in 4 offices around the state.  In one of those offices, I also have an AltaLink B8055.  We recently moved to LDAPS, however some of the copiers will not find a domain controller and we can't figure out why.  2 of the 5 work fine (and, oddly, those 2 are in the same office) The Altalink works fine and has the same configuration, but is in the same office as one of the non-functional workcentres.  The altalink is in Site1 (10 subnet), the 2 working workcenters are Site2 (20 subnet), and the others are sites 3 (30 subnet) and 4 (40 subnet).  We have DC's in each site (matching third octet) but also DC's at our HQ (50 subnet).  I'll indicate the failed binds to a dc with -, and a successful bind with a +.

  • 10.1.10.13
    • Site 1
    • Firmware 073.091.075.34540
    • Tested DC’s:
      • -10.1.50.2
      • -10.1.50.4
      • -10.1.10.4
      • -10.1.20.4
  • 10.1.20.15
    • Site 2
    • Firmware 073.091.075.34540
    • Tested DC’s:
      • +10.1.20.4
      • +10.1.50.2
  • 10.1.20.13 
    • Site 2
    • Firmware 073.091.055.33800
    • Tested DC’s:
      • +10.1.20.4
  • 10.1.30.13
    • Site 3
    • Firmware 073.091.066.08210
    • Tested DC’s:
      • -10.1.50.4
      • -10.1.30.4
      • -10.1.20.4
  • 10.1.40.13 
    • Site 4
    • Firmware 073.091.066.08210
    • Tested DC’s:
      • -10.1.50.4
      • -10.1.20.4
      • -10.1.40.4

So we don't think it's the network at a site because the working ones are able to bind out of network and other copiers on the "non-working" sites bind successfully.  We can't correlate firmware, we can't correlate against a specific DC.  The accounts are all the same and we're not validating the LDAPS certificate.  I CAN make the "broken" ones work by pointing them at port 389 instead of 636, however even after selecting SSL for LDAP the domain controller registers an insecure LDAP bind.

We are stumped.  Any thoughts or troubleshooting help is appreciated.

0 Kudos
Reply
13 Replies
Joe Arseneau
Valued Advisor
Valued Advisor
‎05-08-2020 09:18 AM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

Update the firmware on one that does work and one that doesn't (see attached)

Enable network trace and try the ldap, then compare failed and successful in wireshark

CWIS > Properties > Security > Logs > Network troubleshooting

1.PNG

 

Things that will casue LDAPs to fail:

Time off by more than 3 minutes

Not having HTTPs enabled on the MFP

TLS Settings

2.PNG

Please be sure to select "Accept Solution" and or select the thumbs up icon to enter Kudos for posts that resolve your issues. Your feedback counts!

Joe Arseneau
0 Kudos
Reply
surfrock66
New Member
New Member
‎05-08-2020 11:10 AM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

We don't have the TLS settings?  Would they be somewhere else?  We also don't have the Network Troubleshooting Logs option.

SEIU_DT0057_Joe_s_Computer_.png

We validated NTP and that isn't an issue.

0 Kudos
Reply
Joe Arseneau
Valued Advisor
Valued Advisor
‎05-08-2020 11:36 AM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

You won't have TLS settings until you have the firmware updated, same for the Network trace feature

Please be sure to select "Accept Solution" and or select the thumbs up icon to enter Kudos for posts that resolve your issues. Your feedback counts!

Joe Arseneau
0 Kudos
Reply
surfrock66
New Member
New Member
‎05-08-2020 11:50 AM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

We have updated the firmware on 2 of them to the latest we can find (073.091.075.34540) but the option isn't there.

0 Kudos
Reply
Joe Arseneau
Valued Advisor
Valued Advisor
‎05-08-2020 11:56 AM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

 The versions linked in my attachment on my first post in this thread are 26 versions newer than what you have

Please be sure to select "Accept Solution" and or select the thumbs up icon to enter Kudos for posts that resolve your issues. Your feedback counts!

Joe Arseneau
0 Kudos
Reply
surfrock66
New Member
New Member
‎05-08-2020 12:12 PM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

We're trying it; we were using the latest version here: https://www.support.xerox.com/support/workcentre-5945-5955/downloads/enus.html?operatingSystem=_allo...

0 Kudos
Reply
surfrock66
New Member
New Member
‎05-08-2020 12:19 PM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

Sorry to belabor this point, but the PDF you attached says it's for the 5955i, not the 5955.  Is that going to be compatible?  Here is our exact model string and serial:

Machine Model: Xerox WorkCentre 5955 v1 Multifunction System
Machine Serial Number: A2M738531

SEIU_DT0057_Joe_s_Computer_ (1).png

0 Kudos
Reply
Joe Arseneau
Valued Advisor
Valued Advisor
‎05-08-2020 12:42 PM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

The i denotes a machine sold with Firmware that started with 072 (Connectkey 1.5). It means nothing more and makes no difference at all, it was a marketing gimmick at best.And Connectkey product before it could just be updated to match it

Firmware for Xerox is decoded using the following

Firmware decoding.png

For the 59XX, these are the releases from 073 (You have the first one) up to 075 (Current) and the only thing that changes between the Connectkey controllers (as shown above) will be the 091

Release Type

Release Name

System Software

Date

SPAR

R20-01 CKi

075.091.000.02300

02/20

SPAR

R19-11 CKi

073.091.069.32410

12/19

SPAR

R19-08 CKi

073.091.059.25300

09/19

SPAR

R19-05 CKi (Re-spin)

073.091.019.14200

07/19

SPAR

R19-05 CKi

073.091.019.13010

06/19

SPAR

R19-02 CKi

073.091.009.03700

02/19

SPAR

R18-11CKi

073.091. 068.33100

12/18

SPAR

R18-08 CKi

073.091.058.25300

09/18

SPAR

R18-05 CKi

073.091.048.15000

06/18

SPAR

R18-02 CKi

073.091.008.05210

03/18

SPAR

R17-11 CKi

073.091.247.32400

12/17

SPAR

R17-09 CKi

073.091.237.28600

10/17

SPAR

R17-08 CKi

073.xxx.197.28500

10/17

SPAR

R17-07 CKi

073.091.187.20500

08/17

SPAR

R17-05 CKi

073.091.177.14300

06/17

SPAR

R17-04 CKi

073.091.167.09610

04/17

SPAR

R17-02 CKi

073.091.147.07400

03/17

SPAR

R16-11 CKi

073.091.136.34300

12/16

SPAR

R16-09 CKi

073.091.126.28110

10/16

SPAR

R16-08 CKi

073.091.106.26100

09/16

SPAR

R16-07 CKi

073.091.116.19700

08/16

SPAR

R16-05 CKi

073.091.086.15410

06/16

SPAR

R16-02 CKi

073.091.066.08210

04/16

GENERAL - MANUFACTURING

2016 CKi

073.091.075.34540

04/16

SPAR

R15-11

073.091.055.33800

12/15
Please be sure to select "Accept Solution" and or select the thumbs up icon to enter Kudos for posts that resolve your issues. Your feedback counts!

Joe Arseneau
Reply
surfrock66
New Member
New Member
‎05-08-2020 01:21 PM

Re: Inconsistent LDAP bind to AD over SSL from Workcentres?

Last question, I promise.  These are all remote (all are 3-12 hours away by car) so I am not doing this until I'm absolutely certain my upgrade plan is ironclad.

The PDF in the firmware you linked has upgrade paths based on 071.xxx, 072.xxx, and 073.xxx families.  All 5 of our copiers are already on 073.xxx families.  The PDF references files different from what is included in the zip. We have the following:

  • 729999v3.dlm
  • 788101v6.dlm
  • WorkCentre_5945-5955_system-sw#07209105431606#ENG_MOD.DLM
  • WorkCentre_5945-5955_system-sw#07509100002300#ENG_MOD.DLM

In this case, we would just need to directly install the last file, the WorkCentre_5945-5955_system-sw#07509100002300#ENG_MOD.DLM one, right?  None of the others would be needed?

0 Kudos
Reply