Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Unable to use LDAPS with Microsoft Active Directory

UC IT Solutions Center
UC IT Solutions Center October 21, 2019

I am having issues using LDAPS with Microsoft Active Directory. My configuration works using LDAP, but when i switch to LDAPS I get the following error:

Test basic connection : Succeeded
Test retrieve user : Failedorg.springframework.ldap.PartialResultException: 
nested exception is javax.naming.PartialResultException 
[Root exception is javax.naming.CommunicationException: ForestDnsZones.ad.uc.edu:636 
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
No subject alternative DNS name matching ForestDnsZones.ad.uc.edu found.]]

This is with the "Follow Referrals" option enabled. If I disable that option for LDAPS, the connection times out. LDAP connections work with "Follow Referrals" disabled. 

The AD is set up in a forest with ad.uc.edu as the forest root. I am accessing one of the 6 domain controllers directly at ucdceiw2.ad.uc.edu, and the connection works with "Follow Referrals" disabled on LDAP connections

 

My read timeout is 120 seconds

My search timeout is 120 seconds

My connection timeout is 30 seconds

 

My IT department will be shutting off LDAP access soon and forcing LDAPS so it is important to resolve this soon.

Answer
Watch
Like Be the first to like this
3271 views

1 answer

1 accepted

1 vote
Answer accepted
Andrew Laden
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 22, 2019

Are you using Self signed Certs for your LDAPS implementation. If so, you need to import the signing certs into your cacerts file in your installation.

https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html

View More Comments
UC IT Solutions Center
UC IT Solutions Center October 23, 2019

I followed the command line instructions on that link, downloaded the server's public SSL certificate, and added it to my trusted keystore, but I get the same issues when trying to use a secure connection.

I did have to change the port on the openssl command from 443 to 636 to get the certificate, but other than that I followed the instructions exactly to import the cert.

Any additional help would be greatly appreciated.

Like
Andrew Laden
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 23, 2019

Hmm. Assuming you bounced jira after adding the certs?

You can test that your certificate setup is correct with the sslpoke.class program. 

https://matthewdavis111.com/java/poke-ssl-test-java-certs/

(make sure you are using the same JAVA_HOME that jira is using.)

Since you are seeing differences with follow referrals, you may want to check and see where you are being referred to, and make sure you have the right certs for that location as well.

Your AD administrator should be able to provide you with the signing certs that AD uses, so that you can just import all of them at one shot. (there are usually a few. A root one, and an issuing one.)

 

Also came across this article

https://confluence.atlassian.com/confkb/some-users-are-unable-to-login-due-to-active-directory-follow-referrals-configuration-648217037.html

Does your jira server connect to one of the domain controllers for DNS?

 

Like
UC IT Solutions Center
UC IT Solutions Center October 23, 2019

I have bounced my JIRA server with no change. I also ran the SSLPoke tool and it successfully connected to my domain controller on port 636, and I verified the JAVA_HOME I am using is the one JIRA is using.

 

Before posting I did contact my IT department for the root, issuing, and signing certificates for the AD and loaded those into my keystore so I should have all of the AD servers registered in my trust file.

 

I just checked and the DNS that my server is connected to is not one of the AD nodes, but it is an internal DNS run by UC.

The issue I am seeing with the follow referrals option is only when SSL is enabled.

- With SSL disabled, I can leave follow referrals off.

- With SSL enabled, the Test User Retrieve times out with follow referrals disabled.

The Java error I have in my original post happens with SSL and follow referrals enabled on the Test User Retrieve step.

All of the settings I have tried result in a successful Test Basic Connection step

 

With the article you posted, My domain does not have any cross domain memberships. all users reside on the same directory domain and the tree nodes are just for load balancing (45,000+ active users in the system with many different apps using the directory)

Like
Andrew Laden
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 23, 2019

Odd. two last things to try

1: Connect to the global catalog instead of a specific ldap server https://confluence.atlassian.com/confkb/how-do-i-search-from-active-directory-s-global-catalog-785453286.html

2: Use basic ldap tools (ldapsearch, etc) to confirm that you can do lookups in general from the server over ssl.

out of curiosity, What platform is you jira server running on (linux, windows etc) 

Also, did you sslpoke ForestDnsZones.ad.uc.edu since that is what is specifically reporting the error?

Like
UC IT Solutions Center
UC IT Solutions Center October 23, 2019

This is a SUSE Enterprise 12 Linux system running my JIRA software.

After some more testing, it appears the issue is with the test page, not the connection.

If i use ad.uc.edu as the url with SSL enabled and follow referrals disabled, the connection can synchronize successfully, but when I try to test the connection through the test page the server times out.

My server is now syncing via LDAPS, its just annoying that the test page doesn't work

Like
Andrew Laden
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 23, 2019

Glad its working. You may want to open a case with Atlassian reporting what you are seeing so they can debug what it wrong with the test page and fix it.

Like
UC IT Solutions Center
UC IT Solutions Center October 23, 2019

Will do

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events