This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Post AD Upgarde 2016 - SSPR Not working

 

After upgrading our DCs to Server 2016 I started getting random 5015 errors in SSPR.

Error  An error has occurred.

If this error occurs repeatedly please contact your helpdesk.

February 28, 2020 at 1:59:30 AM India Standard Time, WARN , provider.FailOverWrapper, unable to reach ldap server ldaps://******************, last error: javax.naming.CommunicationException: **********, cause:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: server certificate does not match a certificate in the configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN=****************} does not match a certificate in the configuration trust store.

It looks like a certificate issue but when I give auto import from server - I can able to do it successfully.

Version : SSPR v4.1.0.0 b256 r39020

Tags:

  • 0  

    Later JVM's that Tomcat runs, that SSPR runs inside, and thus is a victim of the parent JVM may require a couple of things.

    That the Subject Alternate Name in the cert match the name used in the request (And annoyingly case sensitively I believe).  Since eDir certs for LDAP are a piece of cake to remae and swap for LDAP (and signed by same parent so easy to swap) I would consider making a cert who SAN matches that name exactly (As well as  all the server possible names).

    There are override settings you can start the Tomcat instance's JVM with but I am not certain it is the greatest idea to do that.

  • 0  

    Are you accessing your DCs via a loadbalancer or some kind of DNS round robin?

    That would explain random failures if you connect to a server that isn't the one you retrieved the certificate from.

    SSPR does not support an alias or load balancer for LDAP. You must explicitly list all LDAP servers that SSPR should be connecting to.

    With 4.4 there is no need to import specific server certificates anymore but just use the CA one instead.: https://www.netiq.com/documentation/self-service-password-reset-44/release-notes-sspr-44/data/release-notes-sspr-44.html#t48blnuwu0dd

     

  • 0 in reply to   

    Are you accessing your DCs via a loadbalancer or some kind of DNS round robin? --- no 

     

    Tried following and it worked.

    1. Re-loaded the  AD certificates  for couple of times in SSPR

    2.Rebooted the Server