Connection to the Active Directory Domain Controller on SAMBA

ZS
ZS W/ Alumni Posts: 10 Security Scout

Hello,

 

I am using FSPMS version 13.12 and linking to AD domain on WS2008R2 with no problem using the FSPMC console using LDAP: //servername.domain.


However, if I want to connect to the Active Directory Domain Controller on SAMBA, I get the verse "Could not connect to the domain server. Check that you entered all necessary information correctly. " has anyone tried to connect to AD on SAMBA?


The error fragment from the Administrator.error.log file

Spoiler
Thu Feb 28 10:09:53 CET 2019
java.util.concurrent.ExecutionException: com.fsecure.fsa.ad.ldap.LdapException: Could not connect to the domain server. Check that you entered all necessary information correctly.
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at javax.swing.SwingWorker.get(SwingWorker.java:602)
at com.fsecure.fspmc.ui.adsync.AddressAndCredentialsPage$1.done(AddressAndCredentialsPage.java:115)
at javax.swing.SwingWorker$5.run(SwingWorker.java:737)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:832)
at sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:842)
at javax.swing.Timer.fireActionPerformed(Timer.java:313)
at javax.swing.Timer$DoPostEvent.run(Timer.java:245)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:109)
at java.awt.WaitDispatchSupport$2.run(WaitDispatchSupport.java:190)
at java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:235)
at java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:233)
at java.security.AccessController.doPrivileged(Native Method)
at java.awt.WaitDispatchSupport.enter(WaitDispatchSupport.java:233)
at java.awt.Dialog.show(Dialog.java:1084)
at com.fsecure.common.awt.FDialog.show(FDialog.java:250)
at com.fsecure.common.awt.WizardDialog.show(WizardDialog.java:190)
at com.fsecure.common.awt.WizardDialog.start(WizardDialog.java:185)
at com.fsecure.common.awt.WizardDialog.start(WizardDialog.java:177)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView.createRule(ActiveDirectoryView.java:400)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView.createSyncRule(ActiveDirectoryView.java:392)
at com.fsecure.fspmc.ui.adsync.ActiveDirectoryView$9.actionPerformed(ActiveDirectoryView.java:381)
at com.fsecure.fspmc.ui.installation.ActionItem.lambda$new$0(ActionItem.java:85)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.AWTEventMulticaster.mouseReleased(AWTEventMulticaster.java:289)
at java.awt.Component.processMouseEvent(Component.java:6533)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
at java.awt.Component.processEvent(Component.java:6298)
at java.awt.Container.processEvent(Container.java:2237)
at java.awt.Component.dispatchEventImpl(Component.java:4889)
at java.awt.Container.dispatchEventImpl(Container.java:2295)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4889)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4526)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4467)
at java.awt.Container.dispatchEventImpl(Container.java:2281)
at java.awt.Window.dispatchEventImpl(Window.java:2746)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
at java.awt.EventQueue$4.run(EventQueue.java:731)
at java.awt.EventQueue$4.run(EventQueue.java:729)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

 

Comments

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    > if I want to connect to the Active Directory Domain Controller on SAMBA

     

    What is the version of Samba and what is the underlying OS: such exacting technical information would be important for any answer.

     

    On the other hand, Samba is a kind of hack, a reverse engineered project, so official support is probably not provided for connectivity with that, only bona fide Microsoft AD.

     

    Best regards: Tamas Feher, Hungary.

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Hello ZS,

     

    PM was not ever tested with SAMBA, but in theory LDAP should work...

    Please check Policy Manager Server fspms-webapp-errors.log for corresponding exception, it should contain details about the reason.

     

    BR,

    Alexander

  • ZS
    ZS W/ Alumni Posts: 10 Security Scout

    The Samba 4.7.6-Ubuntu OS version is Ubuntu 18.04.1 LTS

     

    Errors from the fspms-webapp-errors.log file
    This is a mistake as I try to connect using LDAP: //

    Spoiler
    04.03.2019 11:52:23,920 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - BindSimple: Transport encryption required.]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3145) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]

    and this is like using LDAPS: //

    Spoiler
    04.03.2019 11:54:20,564 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.CommunicationException: AD1.DOMAIN.LOCAL:636
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Could you please provide full exception happened 04.03.2019 11:54:20,564 (from the second spoiler), including “Caused by”?

  • ZS
    ZS W/ Alumni Posts: 10 Security Scout

    Of course, here he is

    Spoiler
    04.03.2019 11:54:20,564 ERROR [c.f.f.s.a.LdapDirectoryServiceImpl] - Failed to perform LDAP(S) query
    javax.naming.CommunicationException: AD1.DOMAIN.LOCAL:636
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:226) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_152]
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_152]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_152]
    at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_152]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:1.8.0_152]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getDefaultNamingContext(LdapDirectoryServiceImpl.java:166) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.getLdapContext(LdapDirectoryServiceImpl.java:127) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:85) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at com.fsecure.fspms.service.adrules.LdapDirectoryServiceImpl.query(LdapDirectoryServiceImpl.java:74) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at sun.reflect.GeneratedMethodAccessor1123.invoke(Unknown Source) ~[?:?]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:338) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationTraceInterceptor.invoke(RemoteInvocationTraceInterceptor.java:78) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at com.sun.proxy.$Proxy193.query(Unknown Source) ~[?:?]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_152]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_152]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_152]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_152]
    at org.springframework.remoting.support.RemoteInvocation.invoke(RemoteInvocation.java:215) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.DefaultRemoteInvocationExecutor.invoke(DefaultRemoteInvocationExecutor.java:39) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationBasedExporter.invoke(RemoteInvocationBasedExporter.java:78) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.remoting.support.RemoteInvocationBasedExporter.invokeAndCreateResult(RemoteInvocationBasedExporter.java:114) ~[spring-context-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at com.fsecure.commons.java.spring.remoting.httpinvoker.StreamHttpInvokerServiceExporter.handleRequest(StreamHttpInvokerServiceExporter.java:61) ~[commons-java-spring-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:53) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:881) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:855) ~[spring-webmvc-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[javax.servlet-api-3.1.0.jar:3.1.0]
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:848) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.notification.BayeuxClientIdFilter.doFilter(BayeuxClientIdFilter.java:35) ~[fspms-webapp-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at com.fsecure.commons.java.spring.session.SessionTerminationFilter.doFilter(SessionTerminationFilter.java:52) ~[commons-java-spring-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) ~[spring-security-web-3.2.10.RELEASE.jar:?]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.1.RELEASE.jar:5.0.1.RELEASE]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) ~[jetty-security-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) ~[jetty-servlet-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335) ~[jetty-rewrite-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.jetty.RewriteHandlerWithAsyncSupport.handle(RewriteHandlerWithAsyncSupport.java:30) ~[fspms-jetty-connectors-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at com.fsecure.fspms.jetty.SingleConnectorHandler.handle(SingleConnectorHandler.java:33) ~[fspms-jetty-connectors-1-SNAPSHOT.jar:13.12.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:169) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.Server.handle(Server.java:534) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:333) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) ~[jetty-server-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) ~[jetty-io-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) ~[jetty-util-9.3.22.v20171030.jar:9.3.22.v20171030]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_152]
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[?:1.8.0_152]
    ... 108 more
    Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
    at com.fsecure.fsa.ad.ldap.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.java:45) ~[commons-java-ldap-1-SNAPSHOT.jar:18.48.84149 (origin/release/pm-13.10#b2b527ca, 1543583231529)]
    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:1.8.0_152]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_152]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_152]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[?:1.8.0_152]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[?:1.8.0_152]
    ... 108 more
  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    That’s the reason:
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain

     

    I’d suggest to check the certificate at your LDAPS port, for instance by running “openssl.exe s_client -connect AD1.DOMAIN.LOCAL:636”, that dumps the certificate to the console. If you save this certificate dump to the *.crt file, certificate viewer will allow you to check all details.


    To make LDAPS working, you need to establish trust relationship between PM and SAMBA (by changing LDAPS certificate, importing certificate’s CA to the PM or both).
    If Policy Manager is installed at Windows host, PM uses system’s Trusted Root CA. As for PM running at Linux, please check the following Admin Guide page: https://help.f-secure.com/product.html#business/policy-manager/14.00/en/task_A2581FFE289649E6A64D0BE5182E86AF-14.00-en

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Great! Thank you for the update!

This discussion has been closed.