Connection to the Active Directory Domain Controller on SAMBA

Hello,

 

I am using FSPMS version 13.12 and linking to AD domain on WS2008R2 with no problem using the FSPMC console using LDAP: //servername.domain.


However, if I want to connect to the Active Directory Domain Controller on SAMBA, I get the verse "Could not connect to the domain server. Check that you entered all necessary information correctly. " has anyone tried to connect to AD on SAMBA?


The error fragment from the Administrator.error.log file

Spoiler
Thu Feb 28 10:09:53 CET 2019
java.util.concurrent.ExecutionException: com.fsecure.fsa.ad.ldap.LdapException: Could not connect to the domain server. Check that you entered all necessary information correctly.
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at javax.swing.SwingWorker.get(SwingWorker.java:602)
at com.fsecure.fspmc.ui.adsync.AddressAndCredentialsPage$1.done(AddressAndCredentialsPage.java:115)
at javax.swing.SwingWorker$5.run(SwingWorker.java:737)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:832)
at sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:842)
at javax.swing.Timer.fireActionPerformed(Timer.java:313)
at javax.swing.Timer$DoPostEvent.run(Timer.java:245)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:109)
at java.awt.WaitDispatchSupport$2.run(WaitDispatchSupport.java:190)
at java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:235)
at java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:233)
at java.security.AccessController.doPrivileged(Native Method)
at java.awt.WaitDispatchSupport.enter(WaitDispatchSupport.java:233)
at java.awt.Dialog.show(Dialog.java:1084)
at com.fsecure.common.awt.FDialog.show(FDialog.java:250)
at com.fsecure.common.awt.WizardDialog.show(WizardDialog.java:190)
at com.fsecure.common.awt.WizardDialog.start(WizardDialog.java:185)
at com.fsecure.common.awt.WizardDialog.start(WizardDialog.java:177)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView.createRule(ActiveDirectoryView.java:400)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView.createSyncRule(ActiveDirectoryView.java:392)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView$9.actionPerformed(ActiveDirectoryView.java:381)
at com.fsecure.fspmc.ui.installation.ActionItem.lambda$new$0(ActionItem.java:85)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:289)
at java.awt.Component.processMouseEvent(Component.java:6533)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
at java.awt.Component.processEvent(Component.java:6298)
at java.awt.Container.processEvent(Container.java:2237)
at java.awt.Component.dispatchEventImpl(Component.java:4889)
at java.awt.Container.dispatchEventImpl(Container.java:2295)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4889)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4526)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4467)
at java.awt.Container.dispatchEventImpl(Container.java:2281)
at java.awt.Window.dispatchEventImpl(Window.java:2746)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
at java.awt.EventQueue$4.run(EventQueue.java:731)
at java.awt.EventQueue$4.run(EventQueue.java:729)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

 

Best Answer

  • ZSZS Posts: 5
    Accepted Answer

    Thanks to the help it worked

     

    1. I checked the AD server certificate then from the directory

               "openssl s_client -showcerts -connect ad1.domain.local: 636"

               cd / usr / local / samba / private / tls ## if you compiled samba from sources

               cd / var / lib / samba / private / tls ## if you installed samba from repos

    2. I copied the certificate and converted it using * .pem to * .crt

               openssl x509 -outform der -in your-cert.pem -out your-cert.crt

               and finally according to the instructions

    3. Run the following command to go to Policy Manager's JRE directory:

               cd /opt/f-secure/fspms/jre/

    4. Run keytoolto apply the certificate:

                ./bin/keytool -importcert -keystore ./lib/security/cacerts -file /tmp/crt/server.crt

               keytool prompts you to enter a password. Use the default keystore password, changeit.

    5. Enter yes when asked if you trust this certificate, and press Enter.

    6. Restart the Policy Manager service:

               /etc/init.d/fspms restart

     

    Samba from version 4 uses LDAPS to connect

Comments

  • etomcatetomcat Posts: 1,318 Superuser

    Hello,

     

    > if I want to connect to the Active Directory Domain Controller on SAMBA

     

    What is the version of Samba and what is the underlying OS: such exacting technical information would be important for any answer.

     

    On the other hand, Samba is a kind of hack, a reverse engineered project, so official support is probably not provided for connectivity with that, only bona fide Microsoft AD.

     

    Best regards: Tamas Feher, Hungary.

  • A-GrinkevitchA-Grinkevitch Posts: 162 F-Secure Employee

    Hello ZS,

     

    PM was not ever tested with SAMBA, but in theory LDAP should work...

    Please check Policy Manager Server fspms-webapp-errors.log for corresponding exception, it should contain details about the reason.

     

    BR,

    Alexander

  • ZSZS Posts: 5

    The Samba 4.7.6-Ubuntu OS version is Ubuntu 18.04.1 LTS

     

    Errors from the fspms-webapp-errors.log file
    This is a mistake as I try to connect using LDAP: //

    Spoiler
    04.03.2019 11:52:23,920 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - BindSimple: Transport encryption required.]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3145) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]

    and this is like using LDAPS: //

    Spoiler
    04.03.2019 11:54:20,564 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.CommunicationException: AD1.DOMAIN.LOCAL:636
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
  • A-GrinkevitchA-Grinkevitch Posts: 162 F-Secure Employee

    Could you please provide full exception happened 04.03.2019 11:54:20,564 (from the second spoiler), including “Caused by”?

  • ZSZS Posts: 5

    Of course, here he is

    Spoiler
    04.03.2019 11:54:20,564 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.CommunicationException: AD1.DOMAIN.LOCAL:636
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at sun.reflect.GeneratedMethodAccessor1123.invoke(Unknown Source) ~[?:?]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:338) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationTraceInterceptor.invoke(RemoteInvocationTraceInterceptor.java:78) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at com.sun.proxy.$Proxy193.query(Unknown Source) ~[?:?]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
    at org.springframework.remoting.support.RemoteInvocation.invoke(RemoteInvocation.java:215) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.DefaultRemoteInvocationExecutor.invoke(DefaultRemoteInvocationExecutor.java:39) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationBasedExporter.invoke(RemoteInvocationBasedExporter.java:78) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationBasedExporter.invokeAndCreateResult(RemoteInvocationBasedExporter.java:114) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at com.fsecure.commons.java.spring.remoting.httpinvoker.StreamHttpInvokerServiceExporter.handleRequest(StreamHttpInvokerServiceExporter.java:61) ~[commons-java-spring-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:53) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:881) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:855) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[javax.servlet-api-3.1.0.jar:3.1.0]
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:848) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.notification.BayeuxClientIdFilter.doFilter(BayeuxClientIdFilter.java:35) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at com.fsecure.commons.java.spring.session.SessionTerminationFilter.doFilter(SessionTerminationFilter.java:52) ~[commons-java-spring-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) ~[jetty-security-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335) ~[jetty-rewrite-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.jetty.RewriteHandlerWithAsyncSupport.handle(RewriteHandlerWithAsyncSupport.java:30) ~[fspms-jetty-connectors-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.jetty.SingleConnectorHandler.handle(SingleConnectorHandler.java:33) ~[fspms-jetty-connectors-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:169) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.Server.handle(Server.java:534) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:333) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[?:1.8.0_152]
    ... 108 more
    Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
    at com.fsecure.fsa.ad.ldap.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.java:45) ~[commons-java-ldap-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[?:1.8.0_152]
    ... 108 more
  • A-GrinkevitchA-Grinkevitch Posts: 162 F-Secure Employee

    That’s the reason:
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain

     

    I’d suggest to check the certificate at your LDAPS port, for instance by running “openssl.exe s_client -connect AD1.DOMAIN.LOCAL:636”, that dumps the certificate to the console. If you save this certificate dump to the *.crt file, certificate viewer will allow you to check all details.


    To make LDAPS working, you need to establish trust relationship between PM and SAMBA (by changing LDAPS certificate, importing certificate’s CA to the PM or both).
    If Policy Manager is installed at Windows host, PM uses system’s Trusted Root CA. As for PM running at Linux, please check the following Admin Guide page: https://help.f-secure.com/product.html#business/policy-manager/14.00/en/task_A2581FFE289649E6A64D0BE5182E86AF-14.00-en

    Laksh
  • A-GrinkevitchA-Grinkevitch Posts: 162 F-Secure Employee

    Great! Thank you for the update!

This discussion has been closed.