jschwill Absent Member.
Absent Member.
2244 views

SSPR error 5015

Is anyone running the 4.2 SSPR appliance with Windows Server 2016 as the LDAP source successfully?

After upgrading our DCs to Server 2016 I started getting random 5015 errors in SSPR

Error 5015
An error has occurred. If this error occurs repeatedly please contact your help desk.

5015 ERROR_UNKNOWN (unexpected error during ldap search (profile=password.pwm.config.profile.LdapProfile@6de80aca), error: 5015 ERROR_UNKNOWN (ldap error during searchID=295, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: usd501.tps:636, cause:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: server certificate {subject=CN=dns1.usd501.tps} does not match a certificate in the configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN=dns1.usd501.tps} does not match a certificate in the configuration trust store.))


If anyone has this configuration running without any problems, can you share the LDAP certificate template setup that you are using to generate LDAP certs.


I have had an open SR with Microfocus since Oct. 2 2017 for this issue with no resolution.
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: SSPR error 5015

The message appears to be a standard trust issue with TLS/SSL. How you
did the certificates on the microsoft active directory (MAD) side may
matter a little, but the complaint is specifically about the certificate's
"Subject" not matching something trusted by SSPR.

It appears that the certificate returned from MAD has a Subject of
dns1.usd501.tps and if that is the case then either that certificate, or
better yet the certificate of the Certificate Authority (CA) that signed
it, should be trusted by SSPR. If not, or if the Subject line does not
match the address used by SSPR to find that service (e.g. you access it by
IP address, or some other DNS name maybe hitting a load balancer), then
that could also explain some types of TLS errors.

How do you have TLS/SSL trust setup for the LDAPS connection in SSPR?
Have you tried doing that again?

How do you have your connection from SSPR configured to reach the LDAPS
service? What are the addresses used, and do you have multiple servers
specified, or are you (not recommended) pointing to a load balancer of
something?


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
jschwill Absent Member.
Absent Member.

Re: SSPR error 5015

I have completely removed, regenerated and re-imported the certs into SSPR. I have multiple DCs configured for LDAP, there is no load balancer to access the LDAP servers.
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR error 5015

The next place I would look is probably either a separate instance of SSPR
(using the patch released just yesterday I think), or else a LAN/wire
trace. Getting one from tcpdump is pretty trivial and it can help to see
which packets in the TLS/SSL handshake:have been exchanged, as well as
confirming which side breaks the connection (presumably the client side in
this case, but it depends on the two components involved):


sudo /usr/sbin/tcpdump -n -s 0 -i any -v -w /tmp/tcp636.cap port 636


If you can post the results somewhere, I'd be happy to look them over.
Since the data are encrypted, there should not be much sensitive in there.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
jschwill Absent Member.
Absent Member.

Re: SSPR error 5015

I was looking again at the error and noticed that it was referencing a server that I had removed from the sources. I put it back in and so far have had no errors. It appears that SSPR had that setting 'stuck' somehow? Anyway I have put all DC's that I have as LDAP sources (5 total) in the configuration and it appears to be working now.
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR error 5015

Well that's interesting; thank-you for posting back your results. If it
comes up again, let's try to figure it out at that time.

In the meantime, it may be worth determining if SSPR is connecting to all
of those boxes, or just the one you put back in, since having multiple
options present helps when one of them goes down, and if it really is
stuck, then you are not getting much value out of the others in there.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.