diff --git a/tests/ScadaLink.IntegrationTests/IntegrationSurfaceTests.cs b/tests/ScadaLink.IntegrationTests/IntegrationSurfaceTests.cs
index 7c3dfb0..c5b4080 100644
--- a/tests/ScadaLink.IntegrationTests/IntegrationSurfaceTests.cs
+++ b/tests/ScadaLink.IntegrationTests/IntegrationSurfaceTests.cs
@@ -33,7 +33,9 @@ public class IntegrationSurfaceTests
             TimeoutSeconds = 30
         };
 
-        repository.GetApiKeyByValueAsync("key-value-123").Returns(key);
+        // ConfigurationDatabase-012: the validator fetches every key and matches
+        // the candidate by HMAC hash in constant time (no secret-equality lookup).
+        repository.GetAllApiKeysAsync().Returns(new List<ApiKey> { key });
         repository.GetMethodByNameAsync("getStatus").Returns(method);
         repository.GetApprovedKeysForMethodAsync(10).Returns(new List<ApiKey> { key });
 
diff --git a/tests/ScadaLink.IntegrationTests/ScadaLinkWebApplicationFactory.cs b/tests/ScadaLink.IntegrationTests/ScadaLinkWebApplicationFactory.cs
index a3e34ee..fe977b5 100644
--- a/tests/ScadaLink.IntegrationTests/ScadaLinkWebApplicationFactory.cs
+++ b/tests/ScadaLink.IntegrationTests/ScadaLinkWebApplicationFactory.cs
@@ -43,6 +43,12 @@ public class ScadaLinkWebApplicationFactory : WebApplicationFactory<Program>
             ["ScadaLink__Security__LdapUseTls"] = "false",
             ["ScadaLink__Security__AllowInsecureLdap"] = "true",
             ["ScadaLink__Security__LdapSearchBase"] = "dc=scadalink,dc=local",
+            // GLAuth places users at cn=<name>,ou=<group>,ou=users,dc=... — the
+            // no-service-account fallback DN (uid=<name>,dc=...) does not match,
+            // so a service account is configured to enable search-then-bind:
+            // resolve the user's real DN by (uid=<name>) lookup, then bind it.
+            ["ScadaLink__Security__LdapServiceAccountDn"] = "cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local",
+            ["ScadaLink__Security__LdapServiceAccountPassword"] = "password",
         };
 
         foreach (var (key, value) in envVars)
@@ -74,14 +80,14 @@ public class ScadaLinkWebApplicationFactory : WebApplicationFactory<Program>
             services.AddDbContext<ScadaLinkDbContext>(options =>
                 options.UseInMemoryDatabase($"ScadaLink_IntegrationTests_{Guid.NewGuid()}"));
 
-            // Remove AkkaHostedService to avoid Akka.NET remoting DNS resolution in tests.
-            // It registers as both a singleton and a hosted service via factory.
-            var akkaDescriptors = services
-                .Where(d =>
-                    d.ServiceType == typeof(AkkaHostedService) ||
-                    (d.ServiceType == typeof(IHostedService) && d.ImplementationFactory != null))
+            // Remove the factory-registered IHostedService registrations so
+            // Akka.NET remoting / DNS resolution never starts in tests — but
+            // keep the AkkaHostedService SINGLETON resolvable: IClusterNodeProvider
+            // (and other services) depend on it via GetRequiredService.
+            var hostedServiceDescriptors = services
+                .Where(d => d.ServiceType == typeof(IHostedService) && d.ImplementationFactory != null)
                 .ToList();
-            foreach (var d in akkaDescriptors)
+            foreach (var d in hostedServiceDescriptors)
                 services.Remove(d);
         });
     }