How to configure/troubleshoot secure client connections to AD?
I have a correctly configured AD Login Authority (i.e. URL = ad://my.domain), AD users are successfully authenticating and am now attempting to configure SGD for secure connections to AD (i.e. enable "Use Certificates" in ArrayManager)
I have followed the "Creating the client certificate" section of: http://docs.sun.com/source/819-6255/secure_ldap.html and downloaded the certificate chain (file) from our Microsoft Certificate Server as per instructions (i.e. using Internet Explorer, selecting DER etc).
However, when I attempt to import the downloaded client certificate (as per the "Installing the client certificate" section) the command fails:
/opt/tarantella/bin/jre/bin/keytool -import -keystore /opt/tarantella/var/info/certs/sslkeystore -storepass "MYPASSWORD" -alias my-clientcert -keypass "MYPASSWORD" -file mycertfile.p7b
keytool error: java.lang.Exception: Input not an X.509 certificate
...of course this is because the certificate I downloaded from my Microsoft CA is in PKCS7 format and not the required X.509 format.
After a bit of messing about I did manage to convert the PKCS7 certificate into X.509 format (using openssl) and then import it but after I enable "Use Certificates" the AD users are not able to login. I have enabled LDAP signing on the Windows domain controller as per "Enabling LDAP signing for the domain".If I disable "Use Certificates" AD users are able to login again.
With "Use Certificates" disabled (i.e. unchecked) my jserver log reports the following with a successful AD user login:
[snip]
2007/04/23 17:44:12.687 (pid 2074)server/ldap/error#1177314252687
Sun Secure Global Desktop Software (4.3) ERROR:
Active Directory service discovery failed: Failed to find any valid Site objects.
Looking up Global Catalog DNS name: _gc._tcp.vnet.local. - HIT
Looking for GC on server: Active Directory:vad.vnet.local:/10.0.0.103:3268:Up - HIT
Checking for CN=Configuration: DC=vnet,DC=local - MISS
Checking for CN=Configuration: CN=Configuration,DC=vnet,DC=local - HIT
Looking up domain root context: DC=vnet,DC=local - HIT
Looking up site context: CN=Sites,CN=Configuration
Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
Looking up addresses for peer DNS: vsgd.vnet.local - HIT
Failed to discover Active Directory Site, Domain and server data.
This might mean LDAP users cannot log in.
Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.
[snip/]
...and with "Use Certificates" enabled (i.e. checked), and after a 'tarantella restart', my jserver log reports the following with an *unsuccessful* AD user login:
[snip]
2007/04/23 17:49:01.168 (pid 2895)server/ldap/error#1177314541168
Sun Secure Global Desktop Software (4.3) ERROR:
Kerberos failed to authenticate sgdauth@vnet.local with javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2546)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2520)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1901)
at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1893)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1286)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContex t.java:213)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompos iteDirContext.java:121)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompos iteDirContext.java:109)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:1 23)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:1 18)
at com.sco.tta.common.jndi.provider.ldap.LdapRemoteService.doBasicADSetup(LdapRemo teService.java:473)
at com.sco.tta.common.jndi.provider.ldap.LdapRemoteService.doBasicSetup(LdapRemote Service.java:300)
at com.sco.tta.common.jndi.provider.ldap.LdapRemoteService.getServers(LdapRemoteSe rvice.java:143)
at com.sco.tta.common.jndi.provider.ldap.LdapScopeState.getServerList(LdapScopeSta te.java:284)
at com.sco.tta.common.jndi.provider.ldap.LdapCallState.<init>(LdapCallState. java:110)
at com.sco.tta.common.jndi.provider.ldap.LdapMultiCtx.lookupLink(LdapMultiCtx.java :130)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1024)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:201 9)
at com.sco.jndi.toolkit.provider.PartialCompositeContext.lookup(PartialCompositeCo ntext.java:225)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:201 9)
at com.sco.jndi.provider.junction.JunctionContext.lookup(JunctionContext.java:154)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1036)
at com.sco.tta.server.login.ADLoginAuthority.getCandidate(ADLoginAuthority.java:32 1)
at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:39 9)
at com.sco.tta.server.glue.LoginAsadOp.login(LoginAsadOp.java:730)
at com.sco.tta.server.glue.AsadOpHandler.login(AsadOpHandler.java:142)
at com.sco.tta.server.server.waip.WAIPCalcTask.attemptLogin(WAIPCalcTask.java:1419 )
at com.sco.tta.server.server.waip.WAIPCalcTask.requestLogin(WAIPCalcTask.java:378)
at com.sco.tta.server.server.waip.WAIPCalcTask.processEnvelope(WAIPCalcTask.java:1 31)
at com.sco.tta.server.server.CalcTask.runTask(CalcTask.java:125)
at com.sco.tta.server.server.mupp.MuppCalcTask.processData(MuppCalcTask.java:392)
at com.sco.tta.server.server.mupp.MuppCalcTask.processEnvelope(MuppCalcTask.java:1 11)
at com.sco.tta.server.server.CalcTask.runTask(CalcTask.java:125)
at com.sco.tta.server.server.Task.run(Task.java:122)
at com.sco.cid.common.WorkerPool$Worker.run(WorkerPool.java:524)
at java.lang.Thread.run(Thread.java:595)
The Active Directory login authority and LDAP webtop generation may not
work if the anonymous user does not have permission to access the user
data on the LDAP server.
Enter a valid LDAP username and password using the Array Manager.
2007/04/23 17:49:01.175 (pid 2895)server/ldap/error#1177314541175
Sun Secure Global Desktop Software (4.3) ERROR:
LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=VNET,DC=LOCAL") 495ms javax.naming.NameNotFoundException: Failed to lookup a Global Catalog server
A call to LDAP failed. This might mean LDAP users cannot log in.
Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.
[snip/]
I'd be very interested to hear from anyone who has managed to get this working or may have hints on how to troubleshoot.
