Using LDAP identity store - certificate error

ToomasAas · ‎04-29-2013

I'm setting up ArcGIS for Server 10.1 SP1 on Windows Server 2008 R2. I'm trying to use LDAP as identity store for users and roles. When I configure the identity store in ArcGIS Manager, everything seems to go successfully - I fill in all the required fields, click on 'Test connection' and the connection is successful. After completing configuration (while logged in to Manager as siteadmin) I can successfully search users and roles from the LDAP directory.

However, users configured in LDAP with Administrator-type role can not log in to Manager. The error message given by manager is simply that username or password is incorrect. When tracing the connection on LDAP server, I see the following:

TLS accept failure 1 on connection 0x8f2e5b80, setting err = -5875. Error stack:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown - SSL alert number 46
TLS handshake failed on connection 0x8f2e5b80, err = -5875.

The LDAP directory in question is Novell eDirectory 8.8.5. It is configured to require TLS for binds with password. The LDAP server uses SSL certificate issued by the eDirectory internal CA, not a 'well-known' commercial CA.

I have some OpenLDAP-based client systems which can successfully authenticate users to the same eDirectory. To get these working, I had to introduce our eDirectory CA certificate to the client systems. However, I cannot see a way to do something similar with ArcGIS.

Is there a way to get LDAP-based authentication working in my situation?

BubbaHey · ‎04-30-2013

Don't have the answer, but check this link:

Securing services with users and roles from an LDAP server
http://resources.arcgis.com/en/help/main/10.1/index.html#//01540000050w000000

ToomasAas · ‎04-30-2013

Thanks for the pointer. I did follow this document when configuring my LDAP settings, and as I mentioned there were no problems during the configuration process itself. But there doesn't seem to be a possibility to configure the SSL certificate for LDAP server in this process.

BubbaHey · ‎04-30-2013

Thanks, don't know, but I'll do some digging.

ToomasAas · ‎05-01-2013

I tried adding the eDirectory CA certificate into the Trusted Root Certificates store of the arcgis service account on the server. This did not help.

BubbaHey · ‎05-03-2013

Are you using Web Adaptor? If so, see:

Enabling SSL on ArcGIS Server when accessed through the ArcGIS Web Adaptor
http://resources.arcgis.com/en/help/main/10.1/index.html#//015400000600000000

ToomasAas · ‎05-09-2013

Sorry for the delayed answer. Yes, I am using Web Adaptor. Before encountering the problem with LDAP over SSL, I had already configured the ArcGIS server and Web Adaptor to use SSL following the manual that you referenced. That is all working smoothly. The problem is only when ArcGIS server needs to authenticate users via LDAP over SSL - in my understanding the problem is not with SSL connection between user and ArcGIS server, but between ArcGIS server and LDAP server. The LDAP server does not use the same SSL certificate that ArcGIS server is using.

BubbaHey · ‎05-10-2013

Thanks. I think there may be a bug that appies. Let me look.

BubbaHey · ‎05-10-2013

Could you attach the latest Server Manager logs and also the logs from C:\Program Files\ArcGIS\Server\framework\etc\service\logs?

ThomasMontefusco · ‎05-10-2013

Yes, logs would be good. Also a Fiddler session. To configure Fiddler to capture Web adaptor traffic, do the following:

Start Fiddler
Go to Tools > Fiddler Options > Connections
Check "Allow remote computers to connect"

Within C:\inetpub\wwwroot\arcgis\web.config make the changes described below:
...
<system.net>
<defaultProxy>
<proxy usesystemdefault="false" proxyaddress="http://mymachine.com:8888" bypassonlocal="false" />
</defaultProxy>
</system.net>
...

If you don't have Fiddler, you can download from www.fiddler2.com