Highlighted
Commodore
Commodore
326 views

Post AD Upgarde 2016 - SSPR Not working

 

After upgrading our DCs to Server 2016 I started getting random 5015 errors in SSPR.

Error  An error has occurred.

If this error occurs repeatedly please contact your helpdesk.

February 28, 2020 at 1:59:30 AM India Standard Time, WARN , provider.FailOverWrapper, unable to reach ldap server ldaps://******************, last error: javax.naming.CommunicationException: **********, cause:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: server certificate does not match a certificate in the configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN=****************} does not match a certificate in the configuration trust store.

It looks like a certificate issue but when I give auto import from server - I can able to do it successfully.

Version : SSPR v4.1.0.0 b256 r39020

Labels (1)
0 Likes
3 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Later JVM's that Tomcat runs, that SSPR runs inside, and thus is a victim of the parent JVM may require a couple of things.

That the Subject Alternate Name in the cert match the name used in the request (And annoyingly case sensitively I believe).  Since eDir certs for LDAP are a piece of cake to remae and swap for LDAP (and signed by same parent so easy to swap) I would consider making a cert who SAN matches that name exactly (As well as  all the server possible names).

There are override settings you can start the Tomcat instance's JVM with but I am not certain it is the greatest idea to do that.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Are you accessing your DCs via a loadbalancer or some kind of DNS round robin?

That would explain random failures if you connect to a server that isn't the one you retrieved the certificate from.

SSPR does not support an alias or load balancer for LDAP. You must explicitly list all LDAP servers that SSPR should be connecting to.

With 4.4 there is no need to import specific server certificates anymore but just use the CA one instead.: https://www.netiq.com/documentation/self-service-password-reset-44/release-notes-sspr-44/data/release-notes-sspr-44.html#t48blnuwu0dd

 

--
Norbert
0 Likes
Highlighted
Commodore
Commodore

Are you accessing your DCs via a loadbalancer or some kind of DNS round robin? --- no 

 

Tried following and it worked.

1. Re-loaded the  AD certificates  for couple of times in SSPR

2.Rebooted the Server

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.