Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to configure/troubleshoot secure client connections to AD?

807578Apr 23 2007 — edited Jul 5 2007

I have a correctly configured AD Login Authority (i.e. URL = ad://my.domain), AD users are successfully authenticating and am now attempting to configure SGD for secure connections to AD (i.e. enable "Use Certificates" in ArrayManager)

I have followed the "Creating the client certificate" section of: http://docs.sun.com/source/819-6255/secure_ldap.html and downloaded the certificate chain (file) from our Microsoft Certificate Server as per instructions (i.e. using Internet Explorer, selecting DER etc).

However, when I attempt to import the downloaded client certificate (as per the "Installing the client certificate" section) the command fails:

/opt/tarantella/bin/jre/bin/keytool -import -keystore /opt/tarantella/var/info/certs/sslkeystore -storepass "MYPASSWORD" -alias my-clientcert -keypass "MYPASSWORD" -file mycertfile.p7b

keytool error: java.lang.Exception: Input not an X.509 certificate

...of course this is because the certificate I downloaded from my Microsoft CA is in PKCS7 format and not the required X.509 format.

After a bit of messing about I did manage to convert the PKCS7 certificate into X.509 format (using openssl) and then import it but after I enable "Use Certificates" the AD users are not able to login. I have enabled LDAP signing on the Windows domain controller as per "Enabling LDAP signing for the domain". If I disable "Use Certificates" AD users are able to login again.

With "Use Certificates" disabled (i.e. unchecked) my jserver log reports the following with a successful AD user login:

[snip]
2007/04/23 17:44:12.687 (pid 2074) server/ldap/error #1177314252687
Sun Secure Global Desktop Software (4.3) ERROR:

Active Directory service discovery failed: Failed to find any valid Site objects.
Looking up Global Catalog DNS name: gc.tcp.vnet.local. - HIT
Looking for GC on server: Active Directory:vad.vnet.local:/10.0.0.103:3268:Up - HIT
Checking for CN=Configuration: DC=vnet,DC=local - MISS
Checking for CN=Configuration: CN=Configuration,DC=vnet,DC=local - HIT
Looking up domain root context: DC=vnet,DC=local - HIT
Looking up site context: CN=Sites,CN=Configuration
Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
Looking up addresses for peer DNS: vsgd.vnet.local - HIT

Failed to discover Active Directory Site, Domain and server data.
This might mean LDAP users cannot log in.

Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.
[snip/]

...and with "Use Certificates" enabled (i.e. checked), and after a 'tarantella restart', my jserver log reports the following with an unsuccessful AD user login:

[snip]
2007/04/23 17:49:01.168 (pid 2895) server/ldap/error #1177314541168
Sun Secure Global Desktop Software (4.3) ERROR:

Kerberos failed to authenticate sgdauth@vnet.local with javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2546)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2520)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1901)
at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1893)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1286)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:118)
at com.sco.tta.common.jndi.provider.ldap.LdapRemoteService.doBasicADSetup(LdapRemoteService.java:473)
at com.sco.tta.common.jndi.provider.ldap.LdapRemoteService.doBasicSetup(LdapRemoteService.java:300)
at com.sco.tta.common.jndi.provider.ldap.LdapRemoteService.getServers(LdapRemoteService.java:143)
at com.sco.tta.common.jndi.provider.ldap.LdapScopeState.getServerList(LdapScopeState.java:284)
at com.sco.tta.common.jndi.provider.ldap.LdapCallState.<init>(LdapCallState.java:110)
at com.sco.tta.common.jndi.provider.ldap.LdapMultiCtx.lookupLink(LdapMultiCtx.java:130)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1024)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:2019)
at com.sco.jndi.toolkit.provider.PartialCompositeContext.lookup(PartialCompositeContext.java:225)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:2019)
at com.sco.jndi.provider.junction.JunctionContext.lookup(JunctionContext.java:154)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1036)
at com.sco.tta.server.login.ADLoginAuthority.getCandidate(ADLoginAuthority.java:321)
at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:399)
at com.sco.tta.server.glue.LoginAsadOp.login(LoginAsadOp.java:730)
at com.sco.tta.server.glue.AsadOpHandler.login(AsadOpHandler.java:142)
at com.sco.tta.server.server.waip.WAIPCalcTask.attemptLogin(WAIPCalcTask.java:1419)
at com.sco.tta.server.server.waip.WAIPCalcTask.requestLogin(WAIPCalcTask.java:378)
at com.sco.tta.server.server.waip.WAIPCalcTask.processEnvelope(WAIPCalcTask.java:131)
at com.sco.tta.server.server.CalcTask.runTask(CalcTask.java:125)
at com.sco.tta.server.server.mupp.MuppCalcTask.processData(MuppCalcTask.java:392)
at com.sco.tta.server.server.mupp.MuppCalcTask.processEnvelope(MuppCalcTask.java:111)
at com.sco.tta.server.server.CalcTask.runTask(CalcTask.java:125)
at com.sco.tta.server.server.Task.run(Task.java:122)
at com.sco.cid.common.WorkerPool$Worker.run(WorkerPool.java:524)
at java.lang.Thread.run(Thread.java:595)

The Active Directory login authority and LDAP webtop generation may not
work if the anonymous user does not have permission to access the user
data on the LDAP server.

Enter a valid LDAP username and password using the Array Manager.

2007/04/23 17:49:01.175 (pid 2895) server/ldap/error #1177314541175
Sun Secure Global Desktop Software (4.3) ERROR:

LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=VNET,DC=LOCAL") 495ms javax.naming.NameNotFoundException: Failed to lookup a Global Catalog server

A call to LDAP failed. This might mean LDAP users cannot log in.

Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.
[snip/]

I'd be very interested to hear from anyone who has managed to get this working or may have hints on how to troubleshoot.

Locked Post

New comments cannot be posted to this locked post.

Locked on Aug 2 2007

Added on Apr 23 2007

#oracle-virtualization, #secure-global-desktop

1 comment

481 views