5015 ERROR_INTERNAL

418 views
Skip to first unread message

Ryan Shultz

unread,
Oct 30, 2019, 7:17:31 AM10/30/19
to pwm-general
I am running this on Server 2016, self-signed cert. Initial Configuration all checks out, except for the Test user, can not get that to work correctly. I have uninstalled, reinstalled Tomcat 8, 9, Java, PWM. I continue to get the same error after the initial configuration and attempt to login to PWM as a domain user. 

I used Portecle to import a self-signed cert and a PKM (won't get passed initial setup without the PKM being imported) from my Domain controller. I continue to get the following error at an attempted login of an Admin or a Domain user:



An error has occurred. If this error occurs repeatedly please contact your help desk.

5015 ERROR_INTERNAL (unexpected error during ldap search (profile=default), error: 5015 ERROR_INTERNAL (ldap error during searchID=2, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: CITY.local:636, cause:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching CITY.local found., cause:java.security.cert.CertificateException: No subject alternative DNS name matching CITY.local found.))



I do notice that the error shows the CITY.local:636 and not the FQDn of the server, not sure if it means anything, as the cert that I imported do have the FQDN listed.

Any help would be appreciated

Ryan Shultz

unread,
Oct 30, 2019, 7:26:00 AM10/30/19
to pwm-general
Also, I have attempted the fix, from a previous post here, stated below with the same results, still getting 5015 error

I came across this issue and resolved it with a temporary fix. PWM will look for domain.com regardless of which Domain Controller you configure during setup. If you do an nslookup domain.com from the host machine, you'll get the IP it's pointing to, along with all of the alternate domain controllers.

You need to make sure domain.com resolves to the domain controller holding the primary DNS role. Roles are often times split between physical DCs so this can cause a problem. I just edited my local /etc/hosts file and resolved domain.com to the IP of the DC holing the primary DNS role and it has been working great since.

Jason Rivard

unread,
Oct 30, 2019, 11:16:57 AM10/30/19
to pwm-general
The error says the problem, your ldap ssl cert doesn't have the correct subject alternate name value.
Reply all
Reply to author
Forward
0 new messages