Q: AD Server Certificates and LDAP referrals, 5016 ERROR_CANT_MATCH_USER, CA Root Certificate
905 views
Skip to first unread message
Jonathan Cauthorn
May 11, 2016, 1:36:54 PM5/11/16
to pwm-general
I am having issues with server certificates and AD LDAP Referrals in PWM.
Background: Our domain has 9 writable domain controllers.
If I enter One DC (or two or a few, but not all) of them as the LDAP server in the LDAP URL, the LDAP response apparently responds with an LDAP referral to a different server in the domain.
This indicates the object isn't in the current DC Partition. Reference: https://technet.microsoft.com/en-us/library/cc978014.aspx
The Issue:
Because the server certificate is not in the PWM configuration file, it fails the LDAPS connection, and returns that info to the user screen. The log file indicates:
2016-05-10T16:17:17Z, ERROR, auth.SessionAuthenticator, {8} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=2, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: DomainDnsZones.MATC.Madison.Login:636, cause:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: server certificate {subject=CN=DTDC02.MATC.Madison.Login} does not match a certificate in the configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN=DTDC02.MATC.Madison.Login} does not match a certificate in the configuration trust store.) [10.122.76.122]
Attempted fixes that fail:
I have attempted to place the server certificate into the JKS (Java KeyStore) file cacerts using the java "keytool -importcert" command line, and I can use the "-list" command to verify the cert is indeed in the file.
I also have a copy of the CA Root public key and imported it into the JKS (Java KeyStore) file cacerts.
Even after doing that, it does not appear that it will recognize the certificate of the servers that the ldap referral points to.
I have also tried turning off Follow LDAP Referrals. That results in this message:
The fix that seems to work:
I have found that if I place all 9 Writable Domain Controllers into the LDAP URLs list that the LDAP referral forwarding works. However, I would like to limit this to 3 or 4 LDAP URLs, not use all 9.
The Questions:
1. Is this a requirement to have all DCs listed in case of LDAP Referrals?
2. Is it possible to just import the CA Root Certificate and not have to import all the individual ones? That way I wouldn't have to update each certificate for each server as they expire, and would give a longer time before having to touch it again.
3. Are there other options?
Thank you,
+Jonathan
Background: Our domain has 9 writable domain controllers.
If I enter One DC (or two or a few, but not all) of them as the LDAP server in the LDAP URL, the LDAP response apparently responds with an LDAP referral to a different server in the domain.
This indicates the object isn't in the current DC Partition. Reference: https://technet.microsoft.com/en-us/library/cc978014.aspx
The Issue:
Because the server certificate is not in the PWM configuration file, it fails the LDAPS connection, and returns that info to the user screen. The log file indicates:
2016-05-10T16:17:17Z, ERROR, auth.SessionAuthenticator, {8} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=2, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: DomainDnsZones.MATC.Madison.Login:636, cause:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: server certificate {subject=CN=DTDC02.MATC.Madison.Login} does not match a certificate in the configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN=DTDC02.MATC.Madison.Login} does not match a certificate in the configuration trust store.) [10.122.76.122]
Attempted fixes that fail:
I have attempted to place the server certificate into the JKS (Java KeyStore) file cacerts using the java "keytool -importcert" command line, and I can use the "-list" command to verify the cert is indeed in the file.
I also have a copy of the CA Root public key and imported it into the JKS (Java KeyStore) file cacerts.
Even after doing that, it does not appear that it will recognize the certificate of the servers that the ldap referral points to.
I have also tried turning off Follow LDAP Referrals. That results in this message:
Error 5016
Unable to find username. Please try again.5016
ERROR_CANT_MATCH_USER (ldap error during searchID=5,
error=javax.naming.PartialResultException: Unprocessed Continuation
Reference(s))
The fix that seems to work:
I have found that if I place all 9 Writable Domain Controllers into the LDAP URLs list that the LDAP referral forwarding works. However, I would like to limit this to 3 or 4 LDAP URLs, not use all 9.
The Questions:
1. Is this a requirement to have all DCs listed in case of LDAP Referrals?
2. Is it possible to just import the CA Root Certificate and not have to import all the individual ones? That way I wouldn't have to update each certificate for each server as they expire, and would give a longer time before having to touch it again.
3. Are there other options?
Thank you,
+Jonathan
Jonathan Cauthorn
May 11, 2016, 1:43:52 PM5/11/16
to pwm-general
Forgot to include more background info:
Running on Windows 2012 R2
<PwmConfiguration pwmVersion="1.8.0-SNAPSHOT" pwmBuild="13038137" pwmBuildType="" xmlVersion="4" createTime="2016-04-08T16:03:35Z" modifyTime="2016-05-11T17:14:32Z">
Java SE DK 8 update 66 64 bit
Apache Tomcat 7.0.67
Running on Windows 2012 R2
<PwmConfiguration pwmVersion="1.8.0-SNAPSHOT" pwmBuild="13038137" pwmBuildType="" xmlVersion="4" createTime="2016-04-08T16:03:35Z" modifyTime="2016-05-11T17:14:32Z">
Java SE DK 8 update 66 64 bit
Apache Tomcat 7.0.67
Jonathan Cauthorn
May 11, 2016, 3:42:56 PM5/11/16
to pwm-general
One more tidbit: When I use Apache Directory Studio to test/verify LDAPS search queries, it asks for "Select Referral Connection" I select the same server I'm connected to currently.
It asks for:
Please select a connection to handle referral:
ldaps://DomainDnsZones.matc.madison.login/DC=DomainDnsZones,DC-MATC,DC-Madison,DC=Login
and then I select the same server I connected to already, which seems to indicate it can handle it properly or find the data ok in Apache Directory Studio.
+Jonathan
It asks for:
Please select a connection to handle referral:
ldaps://DomainDnsZones.matc.madison.login/DC=DomainDnsZones,DC-MATC,DC-Madison,DC=Login
and then I select the same server I connected to already, which seems to indicate it can handle it properly or find the data ok in Apache Directory Studio.
+Jonathan
On Wednesday, May 11, 2016 at 12:36:54 PM UTC-5, Jonathan Cauthorn wrote:
joth...@gmail.com
Dec 12, 2019, 10:48:11 AM12/12/19
to pwm-general
Hello Jonathan
Quite old but did you find a solution ?
Thanks
Johan
Jonathan Cauthorn
Dec 12, 2019, 11:00:18 AM12/12/19
to pwm-general
If I remember correctly, i did this:
>>>I have found that if I place all 9 Writable Domain Controllers into the LDAP URLs list that the LDAP referral forwarding works.
and left it that way.
I didn't find any other options that consistently worked.
I think it's because LDAP Referral just bounces you around all different writeable DCs, and that's a function of AD that can't be controlled.
+Jonathan
Jason Rivard
Dec 12, 2019, 8:32:06 PM12/12/19
to pwm-general
Things have changed since 2016. This setting now exists:
There have also been multiple issues with the default JKS store not properly checking CA certificates for LDAP connections. So newer code would make a difference.
You can also reduce AD referral hopping by specifying lower level user context(s) in the configuration rather than the top level dns domain part of the LDAP namespace.
joth...@gmail.com
Jan 5, 2020, 11:45:21 AM1/5/20
to pwm-general
Hi Jason
thanks for your response.
So i updated my PWM from 1.8.0 to 2.0.0 (the specific option was not in the 1.8 release)
Now i'm working with 2.0
I'm wondering is there a changelog somewhere ? could not find it
With this release and the certificate validation set to "entire certificate chain", will it be able to validate all my DC controllers if i import only my CA chain certificate to java trust store ? It is not really clear for me.
(asking this because windows renew certificates without notifying and this breaks PWM for changing password and connecting)
Thanks in advance
Johan
Jason Rivard
Jan 6, 2020, 9:51:57 AM1/6/20
to pwm-general
Reply all
Reply to author
Forward
0 new messages