I was in the middle of creation of new Master Data Services (MDS) web application in Master Data Services Configuration Manager when accidently received following error in the log – “Strong authentication is required for this operation”
Problem
When you enter credentials for your new MDS web application hit “OK” button which does not react anyhow. So, it seems like to do nothing. This problem happens when you use domain account to run MDS web app.
MDS Information: 0 : Validating credentials for identity: MYDOMAIN\serviceaccount. DateTime=2021-05-25T11:34:40.0060546Z MDS Error: 0 : Error – An exception has been logged: Strong authentication is required for this operation. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) at System.DirectoryServices.AccountManagement.CredentialValidator.lockedLdapBind(LdapConnection current, NetworkCredential creds, ContextOptions contextOptions) at System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions) at System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password, ContextOptions connectionMethod) at System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password, ContextOptions options) at Microsoft.MasterDataServices.Configuration.WebUtilities.IsCredentialValid(PrincipalContext context, String accountIdentity, String password) DateTime=2021-05-25T11:34:40.0841863Z
Solution
This issue happens when Domain Controller require strong LDAP bind after recent update. Current MDS version 2019 CU10 provide only simple LDAP bind. Here is another article facing the same problem.
So i have found simple workaround to get over this problem. Long story short – you should create MDS web application with local account and then using IIS change it to your domain account.
1. step Create local account “server\MDS” on MDS server and add it to group “MDS_ServiceAccounts”
2. step In MDS configuration manager create new web app specifying account “server\MDS”
3. step Close MDS configuration manager and open IIS -> “Application Pools”. Find your application pool and click on “Advanced settings”
4. Step Click on three dots next to account name and change it to domain account
Finally, your application should work using AD account. By the way, this was unexpected issue so hopefully Microsoft will solve that in near future. By now is seems like there is no particular date when this is gonna be solved.
