6.7 ORF Online Help
Select your ORF version:

Table of Contents

Troubleshooting Recipient Validation

This section guides you with configuring and troubleshooting the Recipient Validation test in ORF.


Active Directory: child domains

ORF may not find all email addresses in your AD automatically if you have child domains. In this case, you have to configure ORF to work with a global catalog which contains both parent and child domain data.

To set an LDAP root manually, navigate to the BlacklistsRecipient Validation page and click Configure Selected under Validation Source: Microsoft® Active Directory®. Select Use the LDAP root specified below in the Active Directory Source Settings dialog (Directory tab) and enter the global catalog to the LDAP path box as GC://servername/DC=domain,DC=com where servername is the name of your global catalog server. Note that GC:// must be written in uppercase.

If you have multiple domains in the same global catalog tree (instead of child domains), you should simply enter GC://servername (without any trailing slash).

AD access from a non-domain member host

ORF cannot detect the LDAP root path on a non-domain member host, so the root has to be configured manually.

Select Use the LDAP root specified below in the Active Directory Source settings dialog (Directory tab) and enter the LDAP path. Note that LDAP:// must be written in uppercase. External hosts may not be authorized to query the Active Directory. If you experience any problems with the integration, select the Authentication tab and enter the proper user credentials. Note that the user name format required may depend on your AD settings, for example, it can be DOMAIN\user, [email protected] or user.

If there is a firewall between the ORF host and the Active Directory server, you must allow the host where ORF runs to communicate with the Active Directory server via the LDAP port (TCP/389). If you use the GC:// prefix instead of LDAP://, the default port will be the GC port (TCP/3268). No other ports are required by the AD communication.

Troubleshooting Error Messages

[...] Could not bind to path "..." [...]

Check the LDAP path. Make sure that "LDAP://", "GC://" and "DC=" are written in upper case.

[...] A referral was returned from the server [...]

Check that you have a valid LDAP path configured.

[...] The authentication mechanism is unknown [...]

Check the user name and password on the Authentication. Note that the required user name format depends on your AD settings, for example, it can be DOMAIN\user, [email protected] or user. Also try the integration with blank user name and password fields and with authentication disabled.


Testing the Active Directory connection

After the LDAP path is set, you can test whether ORF is able to query the Active Directory for a valid recipient address by entering it on the Test tab and clicking the Lookup button.

Note that if the ORF Service is down, the test will be performed in the security context of the ORF Administration Tool. Due to this, you may get a different result with the ORF Service (which actually hosts the Recipient Validation test), because the computer running the ORF Service may be subject to different firewall rules. The ORF Service also runs under a different user account than the Administration Tool, which may cause issues with authentication.

Copyright © Vamsoft Ltd. 2022. All rights reserved. Document ID adm-adtroubleshoot, version 1.