topic Re: Using LDAP identity store - certificate error in ArcGIS Enterprise Questions

Using LDAP identity store - certificate error

ToomasAas — Tue, 30 Apr 2013 05:05:25 GMT

I'm setting up ArcGIS for Server 10.1 SP1 on Windows Server 2008 R2. I'm trying to use LDAP as identity store for users and roles. When I configure the identity store in ArcGIS Manager, everything seems to go successfully - I fill in all the required fields, click on 'Test connection' and the connection is successful. After completing configuration (while logged in to Manager as siteadmin) I can successfully search users and roles from the LDAP directory.

However, users configured in LDAP with Administrator-type role can not log in to Manager. The error message given by manager is simply that username or password is incorrect. When tracing the connection on LDAP server, I see the following:

TLS accept failure 1 on connection 0x8f2e5b80, setting err = -5875. Error stack:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown - SSL alert number 46
TLS handshake failed on connection 0x8f2e5b80, err = -5875.

The LDAP directory in question is Novell eDirectory 8.8.5. It is configured to require TLS for binds with password. The LDAP server uses SSL certificate issued by the eDirectory internal CA, not a 'well-known' commercial CA.

I have some OpenLDAP-based client systems which can successfully authenticate users to the same eDirectory. To get these working, I had to introduce our eDirectory CA certificate to the client systems. However, I cannot see a way to do something similar with ArcGIS.

Is there a way to get LDAP-based authentication working in my situation?

Re: Using LDAP identity store - certificate error

BubbaHey — Tue, 30 Apr 2013 12:51:12 GMT

Don't have the answer, but check this link:

Securing services with users and roles from an LDAP server
http://resources.arcgis.com/en/help/main/10.1/index.html#//01540000050w000000

Re: Using LDAP identity store - certificate error

ToomasAas — Tue, 30 Apr 2013 15:08:48 GMT

Thanks for the pointer. I did follow this document when configuring my LDAP settings, and as I mentioned there were no problems during the configuration process itself. But there doesn't seem to be a possibility to configure the SSL certificate for LDAP server in this process.

Re: Using LDAP identity store - certificate error

BubbaHey — Tue, 30 Apr 2013 16:29:42 GMT

Thanks, don't know, but I'll do some digging.

Re: Using LDAP identity store - certificate error

ToomasAas — Thu, 02 May 2013 04:38:45 GMT

I tried adding the eDirectory CA certificate into the Trusted Root Certificates store of the arcgis service account on the server. This did not help.

Re: Using LDAP identity store - certificate error

BubbaHey — Fri, 03 May 2013 13:28:11 GMT

Are you using Web Adaptor? If so, see:

Enabling SSL on ArcGIS Server when accessed through the ArcGIS Web Adaptor
http://resources.arcgis.com/en/help/main/10.1/index.html#//015400000600000000

Re: Using LDAP identity store - certificate error

ToomasAas — Thu, 09 May 2013 07:04:47 GMT

Sorry for the delayed answer. Yes, I am using Web Adaptor. Before encountering the problem with LDAP over SSL, I had already configured the ArcGIS server and Web Adaptor to use SSL following the manual that you referenced. That is all working smoothly. The problem is only when ArcGIS server needs to authenticate users via LDAP over SSL - in my understanding the problem is not with SSL connection between user and ArcGIS server, but between ArcGIS server and LDAP server. The LDAP server does not use the same SSL certificate that ArcGIS server is using.

Re: Using LDAP identity store - certificate error

BubbaHey — Fri, 10 May 2013 16:16:14 GMT

Thanks. I think there may be a bug that appies. Let me look.

Re: Using LDAP identity store - certificate error

BubbaHey — Fri, 10 May 2013 16:21:47 GMT

Could you attach the latest Server Manager logs and also the logs from C:\Program Files\ArcGIS\Server\framework\etc\service\logs?

Re: Using LDAP identity store - certificate error

ThomasMontefusco — Fri, 10 May 2013 16:25:36 GMT

Yes, logs would be good. Also a Fiddler session. To configure Fiddler to capture Web adaptor traffic, do the following:

Start Fiddler
Go to Tools > Fiddler Options > Connections
Check "Allow remote computers to connect"

Within C:\inetpub\wwwroot\arcgis\web.config make the changes described below:
...
<system.net>
<defaultProxy>
<proxy usesystemdefault="false" proxyaddress="http://mymachine.com:8888" bypassonlocal="false" />
</defaultProxy>
</system.net>
...

If you don't have Fiddler, you can download from www.fiddler2.com

Re: Using LDAP identity store - certificate error

ToomasAas — Sat, 11 Dec 2021 16:33:59 GMT

Hello!

I'll attach the logs, but it seems to me that they don't contain much useful information. I changed the log level in ArcGIS Server Manager to 'Debug', but the only log lines that were generated during login attempts are:

Level Time Message Source
SEVERE 2013 5 13 19:22:20 Failed to login, invalid username or password. Admin
SEVERE 2013 5 13 19:19:40 Failed to login, invalid username or password. Admin
SEVERE 2013 5 13 19:18:35 Failed to login, invalid username or password. Admin
SEVERE 2013 5 13 19:14:36 Failed to login, invalid username or password. Admin
SEVERE 2013 5 13 19:12:26 Failed to login, invalid username or password. Admin

Logfiles in ArcGIS\Server\framework\etc\service\logs (service.log and service_error.log) end at the time when I last started the ArcGIS server, and no lines are added there during the login attempts.

Fiddler session (arcgis.saz) is also quite concise (I have never used Fiddler before, so I am not sure whether I did everything correctly).

Re: Using LDAP identity store - certificate error

BubbaHey — Mon, 13 May 2013 17:37:25 GMT

I see this error in the Fiddler logs: {"status":"error","messages":["Failed to login, invalid username or password."]}

Nothing really in the Server logs

Re: Using LDAP identity store - certificate error

ThomasMontefusco — Mon, 13 May 2013 17:46:46 GMT

There is a bug that may apply:

Bug NIM-086807
http://support.esri.com/en/bugs/nimbus/TklNMDg2ODA3

See the following Active Directory domain policy:
http://technet.microsoft.com/en-us/library/cc778124(v=WS.10).aspx

Set "Domain controller: LDAP server signing requirements" to: "None"

Re: Using LDAP identity store - certificate error

ToomasAas — Mon, 13 May 2013 18:17:29 GMT

There is a bug that may apply:

See the following Active Directory domain policy:
http://technet.microsoft.com/en-us/library/cc778124(v=WS.10).aspx

Set "Domain controller: LDAP server signing requirements" to: "None"

As I understand, this setting needs to be done on the domain controller in the case when LDAP authentication is done against Microsoft domain. My situation is different in that I'm trying to authenticate against Novell eDirectory.

From the Novell documentation at http://www.novell.com/documentation/edir873/edir873/data/agtxhz5.html#agwje1p:

The client needs to import a certificate that the client will trust so that the client can validate the tree CA that the LDAP server claims to be using. The client must import a certificate from the server so that whenever the server sends its certificate, the client can validate it and verify that the server is who it claims to be.

So that the client can get a secure connection, the client must be configured before the connection.

The way that the client imports the certificate differs, based on the kind of application being used. Each application must have a method to import a certificate. Netscape browser has one way, IE has another way, and ICE has a third way. These are three different LDAP clients. Each client has its method for locating the certificates that it trusts.

"The client" in this case would be the ArcGIS server, and it seems there is no way that I can import the eDirectory CA certificate into ArcGIS server so that the necessary trust would be established. The only way would be to turn of requirement for TLS on the LDAP server side, but obviously I don't want to do authentication in plaintext.

Looks like what I'm trying to do can't be done at this point, so I'll need to use ArcGIS server's internal user accounts. Fortunately there are not too many people using ArcGIS at our place right now, so this might be workable.

Re: Using LDAP identity store - certificate error

BubbaHey — Tue, 14 May 2013 13:29:08 GMT

Probably right. Can't help much. My last experience with Novell was in 1994. IPX/SPX, remember those days? What a pain it was to get it to work with windows. edited the autoexec.bat and all that stuff.

Re: Using LDAP identity store - certificate error

JustinRodriguez — Tue, 21 May 2013 15:38:24 GMT

Hello,
The logs you provided are the wrong logs. Can you upload the ArcGIS Server logs? You can find the location under Server Manager/Logs.

From the fiddler log, it looks like ArcGIS is receiving an encrypted value as the username, and it doesn't know what to do with it. I see that Tom sent the "required signing" in an earlier post, does that apply to you? Do you know why the username is being sent encrypted? I think that may be the issue. Thanks-

Justin

Re: Using LDAP identity store - certificate error

StephanieSnider — Mon, 23 Dec 2013 14:45:38 GMT

ToomasAas,
Did you ever find a solution to this issue? I've had this happen four times on three different servers (ArcGIS Server 10.2). At some point, ArcGIS Server stops recognizing the active directory and only the Primary Site admin can log in. I've had this happen on a server with GIS tier authentication, SSL enabled and using a trusted certificate. I've also had it happen on a server without SSL enabled, no trusted cert and using WEB tier authentication. The one thing that was common across the servers is that ArcGIS Server was using Windows Domain for authentication. My solution...that sometimes works, is to remove the arcgis-logsettings.json.rlock file and reset the security configuration. If that doesn't work, I restart the ArcGIS Server Service. If that doesn't work, I restart the server. That one has always worked so far. I couldn't find anything in the ArcGIS Server logs or the server manager logs that indicates what had happened to cause this. I'd be happy to hear how you solved this issue.

Re: Using LDAP identity store - certificate error

JustinRodriguez — Mon, 23 Dec 2013 15:31:45 GMT

Hello,
I hope you are doing well. It seems from the description below that your issue may be different that what was being described in the thread above. The .rlock file that you are deleting makes me think that there is some sort of communication issue with your config store. Have you been having any DNS issues or network issues? Are you using any technology that does client side caching (such as OPLOCKS)? Thank you very much-

Justin

ToomasAas,
Did you ever find a solution to this issue? I've had this happen four times on three different servers (ArcGIS Server 10.2). At some point, ArcGIS Server stops recognizing the active directory and only the Primary Site admin can log in. I've had this happen on a server with GIS tier authentication, SSL enabled and using a trusted certificate. I've also had it happen on a server without SSL enabled, no trusted cert and using WEB tier authentication. The one thing that was common across the servers is that ArcGIS Server was using Windows Domain for authentication. My solution...that sometimes works, is to remove the arcgis-logsettings.json.rlock file and reset the security configuration. If that doesn't work, I restart the ArcGIS Server Service. If that doesn't work, I restart the server. That one has always worked so far. I couldn't find anything in the ArcGIS Server logs or the server manager logs that indicates what had happened to cause this. I'd be happy to hear how you solved this issue.

Re: Using LDAP identity store - certificate error

StephanieSnider — Mon, 23 Dec 2013 22:07:22 GMT

Justin,
No, we haven't been having DNS or network issues and no we are not using any client side caching. You're right. This may be a different issue, but it seemed closer than any other post I could find.