Connection to the Active Directory Domain Controller on SAMBA

ZS
ZS Posts: 10 Security Scout

Hello,

 

I am using FSPMS version 13.12 and linking to AD domain on WS2008R2 with no problem using the FSPMC console using LDAP: //servername.domain.


However, if I want to connect to the Active Directory Domain Controller on SAMBA, I get the verse "Could not connect to the domain server. Check that you entered all necessary information correctly. " has anyone tried to connect to AD on SAMBA?


The error fragment from the Administrator.error.log file

Spoiler
Thu Feb 28 10:09:53 CET 2019
java.util.concurrent.ExecutionException: com.fsecure.fsa.ad.ldap.LdapException: Could not connect to the domain server. Check that you entered all necessary information correctly.
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at javax.swing.SwingWorker.get(SwingWorker.java:602)
at com.fsecure.fspmc.ui.adsync.AddressAndCredentialsPage$1.done(AddressAndCredentialsPage.java:115)
at javax.swing.SwingWorker$5.run(SwingWorker.java:737)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:832)
at sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:842)
at javax.swing.Timer.fireActionPerformed(Timer.java:313)
at javax.swing.Timer$DoPostEvent.run(Timer.java:245)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:109)
at java.awt.WaitDispatchSupport$2.run(WaitDispatchSupport.java:190)
at java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:235)
at java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:233)
at java.security.AccessController.doPrivileged(Native Method)
at java.awt.WaitDispatchSupport.enter(WaitDispatchSupport.java:233)
at java.awt.Dialog.show(Dialog.java:1084)
at com.fsecure.common.awt.FDialog.show(FDialog.java:250)
at com.fsecure.common.awt.WizardDialog.show(WizardDialog.java:190)
at com.fsecure.common.awt.WizardDialog.start(WizardDialog.java:185)
at com.fsecure.common.awt.WizardDialog.start(WizardDialog.java:177)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView.createRule(ActiveDirectoryView.java:400)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView.createSyncRule(ActiveDirectoryView.java:392)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView$9.actionPerformed(ActiveDirectoryView.java:381)
at com.fsecure.fspmc.ui.installation.ActionItem.lambda$new$0(ActionItem.java:85)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:289)
at java.awt.Component.processMouseEvent(Component.java:6533)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
at java.awt.Component.processEvent(Component.java:6298)
at java.awt.Container.processEvent(Container.java:2237)
at java.awt.Component.dispatchEventImpl(Component.java:4889)
at java.awt.Container.dispatchEventImpl(Container.java:2295)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4889)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4526)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4467)
at java.awt.Container.dispatchEventImpl(Container.java:2281)
at java.awt.Window.dispatchEventImpl(Window.java:2746)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
at java.awt.EventQueue$4.run(EventQueue.java:731)
at java.awt.EventQueue$4.run(EventQueue.java:729)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

 

Comments

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello,

     

    > if I want to connect to the Active Directory Domain Controller on SAMBA

     

    What is the version of Samba and what is the underlying OS: such exacting technical information would be important for any answer.

     

    On the other hand, Samba is a kind of hack, a reverse engineered project, so official support is probably not provided for connectivity with that, only bona fide Microsoft AD.

     

    Best regards: Tamas Feher, Hungary.

  • A_Grinkevitch
    A_Grinkevitch Posts: 169 Threat Terminator

    Hello ZS,

     

    PM was not ever tested with SAMBA, but in theory LDAP should work...

    Please check Policy Manager Server fspms-webapp-errors.log for corresponding exception, it should contain details about the reason.

     

    BR,

    Alexander

  • ZS
    ZS Posts: 10 Security Scout

    The Samba 4.7.6-Ubuntu OS version is Ubuntu 18.04.1 LTS

     

    Errors from the fspms-webapp-errors.log file
    This is a mistake as I try to connect using LDAP: //

    Spoiler
    04.03.2019 11:52:23,920 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - BindSimple: Transport encryption required.]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3145) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]

    and this is like using LDAPS: //

    Spoiler
    04.03.2019 11:54:20,564 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.CommunicationException: AD1.DOMAIN.LOCAL:636
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
  • A_Grinkevitch
    A_Grinkevitch Posts: 169 Threat Terminator

    Could you please provide full exception happened 04.03.2019 11:54:20,564 (from the second spoiler), including “Caused by”?

  • ZS
    ZS Posts: 10 Security Scout

    Of course, here he is

    Spoiler
    04.03.2019 11:54:20,564 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.CommunicationException: AD1.DOMAIN.LOCAL:636
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at sun.reflect.GeneratedMethodAccessor1123.invoke(Unknown Source) ~[?:?]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:338) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationTraceInterceptor.invoke(RemoteInvocationTraceInterceptor.java:78) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at com.sun.proxy.$Proxy193.query(Unknown Source) ~[?:?]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
    at org.springframework.remoting.support.RemoteInvocation.invoke(RemoteInvocation.java:215) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.DefaultRemoteInvocationExecutor.invoke(DefaultRemoteInvocationExecutor.java:39) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationBasedExporter.invoke(RemoteInvocationBasedExporter.java:78) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationBasedExporter.invokeAndCreateResult(RemoteInvocationBasedExporter.java:114) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at com.fsecure.commons.java.spring.remoting.httpinvoker.StreamHttpInvokerServiceExporter.handleRequest(StreamHttpInvokerServiceExporter.java:61) ~[commons-java-spring-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:53) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:881) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:855) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[javax.servlet-api-3.1.0.jar:3.1.0]
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:848) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.notification.BayeuxClientIdFilter.doFilter(BayeuxClientIdFilter.java:35) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at com.fsecure.commons.java.spring.session.SessionTerminationFilter.doFilter(SessionTerminationFilter.java:52) ~[commons-java-spring-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) ~[jetty-security-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335) ~[jetty-rewrite-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.jetty.RewriteHandlerWithAsyncSupport.handle(RewriteHandlerWithAsyncSupport.java:30) ~[fspms-jetty-connectors-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.jetty.SingleConnectorHandler.handle(SingleConnectorHandler.java:33) ~[fspms-jetty-connectors-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:169) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.Server.handle(Server.java:534) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:333) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[?:1.8.0_152]
    ... 108 more
    Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
    at com.fsecure.fsa.ad.ldap.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.java:45) ~[commons-java-ldap-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[?:1.8.0_152]
    ... 108 more
  • A_Grinkevitch
    A_Grinkevitch Posts: 169 Threat Terminator

    That’s the reason:
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain

     

    I’d suggest to check the certificate at your LDAPS port, for instance by running “openssl.exe s_client -connect AD1.DOMAIN.LOCAL:636”, that dumps the certificate to the console. If you save this certificate dump to the *.crt file, certificate viewer will allow you to check all details.


    To make LDAPS working, you need to establish trust relationship between PM and SAMBA (by changing LDAPS certificate, importing certificate’s CA to the PM or both).
    If Policy Manager is installed at Windows host, PM uses system’s Trusted Root CA. As for PM running at Linux, please check the following Admin Guide page: https://help.f-secure.com/product.html#business/policy-manager/14.00/en/task_A2581FFE289649E6A64D0BE5182E86AF-14.00-en

  • A_Grinkevitch
    A_Grinkevitch Posts: 169 Threat Terminator

    Great! Thank you for the update!

This discussion has been closed.

Categories