Indeed the way that AD works can be a bit of a mystery. I walked back my troubleshooting to just do unencrypted 389 LDAP non-tls non-ssl and well, I must have another issue. Somehow LDAP isn't expanding to actually search for the user? (0) Received Access-Request Id 8 from 10.189.5.22:1645 to 10.213.15.19:1812 length 69 (0) User-Name = "MYUSER" <snip> (0) suffix: No '@' in User-Name = "MYUSER", looking up realm NULL (0) suffix: No such realm "NULL" <snip> (0) ldap: EXPAND (sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (sAMAccountname=) <snip> It seems like that last part: ldap: --> (sAMAccountname=) should include the username such as: ldap: --> (sAMAccountname=MYUSER) from my mods-enabled/ldap, for testing I have a really basic filter right now, but I've also tried the recommended one for AD in the comments: ldap { user_dn = "LDAP-UserDn" user { base_dn = "${..base_dn}" filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } Someone hit me with the clue-bat as to how possibly this is disappearing somehow when it gets to LDAP search? I also confirmed with wireshark that it's omitting the username from the search. %{%{Stripped-User-Name}:-%{User-Name}}