This occurred when using Windows authentication and also using remote authentication from a different Active Directory domain from the application doamin, as described on page 100 of our Installation guide, and when also disabling the vulnerable SSL3 protocol on the remote Active Directory server. An incompatible version of TLS 1.2 was attempted, resulting in the failure.
For older versions of Blackbaud CRM, a viable alternative to SSLv3 is to implement TLS version 1.0 on the client-hosted Active Directory server rig. Blackbaud CRM versions 3.0 and 4.0 implement .NET 4.0 Framework for Windows-based authentication, and the 4.0 .NET Framework supports TLS 1.0 but not TLS 1.2.
As of Blackbaud CRM version 4.0, Service Pack 5; we are now requiring and implementing version 4.5 of the .NET Framework, which supports the more secure TLS 1.2 for Windows-based authentication models: