User-ID Agent error: "ldap connect failed: Strong Authentication Required"

Error messages in UaCredDebug.log

06/23/25 13:37:57:946 [Error 1074]: pan_ldap_bind() failed
06/23/25 13:37:57:959 [Error 1892]: ldap connect failed: Strong Authentication Required
06/23/25 13:37:57:971 [Error 1701]: Failed to bind to LDAP server
06/23/25 13:38:08:135 [Error  542]: ldap_connect(user@DOMAIN.COM) return(8) : Strong Authentication Required

Note:

• UaCredDebug.log is found in the installation directory of the Credential Agent.
• By default, the installation directory is: C:\Program Files\Palo Alto Networks\User-ID Credential Agent

• User-ID Agent version 11.1.1 or newer
• User-ID Credential Service version 11.1.1 or newer 

• This error indicates that the LDAP server rejected the connection attempt from the User-ID Agent.
• The rejection is because the server requires a more secure connection, such as LDAPS. 

• Enable the LDAPS on the Windows Server.
• Steps to to enable LDAPS on Windows Server are shown below.

1. Open Server Manager (Start -> Server Manager).
2. Go to Manage -> Add Roles and Features.

3. In the “Add Roles and Features Wizard” window that opens, click “Next” on the initial screen.

4. On the “Select installation type” screen, ensure this option is selected: “Role-based or feature-based installation”. Click “Next” 

5. On the “Select destination server” screen, ensure “Select a server from the server pool” is enabled, and the current server is selected. Click “Next”.

6. On the “Select Server Roles” screen, select “Active Directory Certificate Services”.

7. In the pop-up that opens, click “Add Features”.

8. Click “Next”.

9. On the “Active Directory Certificate Services”, click “Next”.

10. On the “Select role services” screen, click “Next”.

11. Optionally, enable “Restart the destination server automatically if required”. On the “Confirm installation selections” screen, click “Install”.

12. After the installation completes, open Server Manager and select “Configure Active Directory Certificate Services on the destination server”.

13. On the “Credentials” screen, you can choose to use the credentials of the current user or type different credentials. Click “Next”.

14. On the “Role Services” screen, enable “Certificate Authority” and click “Next”.

15. On the “Setup Type” screen, select “Enterprise CA” and click “Next”.

16. On the “Ca Type” screen, select the option that is best for your use case and click “Next”.

17. On the “Private Key” screen, select the option that is best for your use case and click “Next”.

18. On the “Cryptography for CA” screen, select the option that is best for your use case and click “Next”.

19. On the “CA Name” screen, configure the common name, distinguished name and distinguished name suffix for the CA and click “Next”.

20. On the “Validity Period” screen, configure the desired validity and click “Next”.

21. On the “CA Database” screen, configure the desired locations and click “Next”.

22. On the “Confirmation” screen, validate the configuration and click “Configure”.

23. Once the configuration completes, click “Close”.

• This article is written for informational purposes.
• The procedure may change when different patches/versions are installed on Windows.
• Palo Alto Networks does not support any third-party operating systems.