FAST ESP/ Unable to use Active Directory accounts for Authentication / Login Fails with LdapErr: DSID-0C0901FC

Applies to: FAST ESP

Symptoms


After applying the steps in the following article:

FAST ESP / Enable ESP Administrator to use Active Directory accounts for Authentication
http://support.microsoft.com/kb/2441205/en-us

One may still be unsuccessful to enable authentication against active directory from the ESP Administrator. Also, while attempting to logon the following error is recorded in the adminserver.log:

[2011-04-25 17:22:14,864] DEBUG no.fast.vespa.security.auth.JaasLdapProvider: Trying to bind to ldap://dc.contoso.com:389 using com.sun.jndi.ldap.LdapCtxFactory as user FAST (http-15089-Processor22)

[2011-04-25 17:22:15,114] DEBUG no.fast.vespa.security.auth.JaasLdapProvider: Authentication failed (http-15089-Processor22)
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1772


Cause


This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL.

This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2

If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.


Resolution


There are 2 methods to resolve this issue:


Method 1:

Change the policy "Domain controller: LDAP server signing requirements" on the Domain Controllers to "None" which will set the LDAP Data signing to not require in order to bind with the server. However, if the client requests data signing, the server supports it. 

Setting this policy to "none" will also change the following registry setting on all DCs:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=1 (Note: This is the default setting)

Once this setting is changed on the DC, the ESP server should allow unsecured LDAP Authentication and the process in KB2441205 will allow authentication against Active Directory from the ESP Administrator.


Method 2:

Configure the ESP Adminserver process to bind securely with the LDAP server hosted by the Windows Domain Controller.

In order to accomplish this the following steps must be completed:

1. Obtain the Domain Controllers Self-Signed SSL Server Certificate.

Note: One can refer to the Windows security group to obtain the required certificate.

2. Once the appropriate certificate is obtained, one must install the certificate in the "Trusted Root Certification Authorities" Container on the FAST ESP Server.

3. Test the secure LDAP connection from the ESP Server using LDP.EXE.

See the following to obtain more information on obtaining and utilizing LDP.EXE:

Ldp Overview
http://technet.microsoft.com/en-us/library/cc772839(WS.10).aspx

4. Launch LDP.EXE from the FAST ESP Admin Server.

5. Choose "Connection" from the file menu.

6. Choose "Connect" from the drop down menu.

7. Type the name of the DC with which to establish a connection.

8. Change the port number to 636. 

Note: 636 is the secure LDAP port (LDAPS)

9. Choose the checkbox "SSL" to enable an SSL connection.

10. Click "ok" to test the connection.

11. If successful, a secure LDAPS connection is established to the DC and validates the certificate that was installed in step 2.

12. At this point the Root CA SSL Certificate that was obtained in step 1, must be installed into the JAVA Key Store to ensure that the JAVA based ESP Adminserver component will be able to successfully establish a secure LDAP connection to the DC.

This step can be accomplished by using keytool that is shipped with JAVA: 

Example: 

$JAVA_HOME/bin/keytool -import -alias root -keystore $JAVA_HOME/lib/security/cacerts -trustcacerts -file <path-to-ssl-certificate>/ldap-server.cer

Note: The certificate is added to the default JVM truststore $JAVA_HOME/lib/security/cacerts, and added with the alias 'root'.
<path-to-ssl-certificate>/ldap-server.cer refers to the SSL certificate which the JVM client uses to trust the LDAP server. 

See the following Information for assistance with this process:Importing a Certificate for the CA:
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html


13. Once the DC Root Cert is successfully imported into he Java Keystore, open and edit the login.conf file in path: %FASTSEARCH%\adminserver\webapps\adminserver\WEB-INF\login.conf


14. Modify the existing entry:

LDAP { 
no.fast.vespa.security.auth.JaasLdapProvider required
providerURL="ldaps://gc1.contoso.com:636 "
principalFormat="{0}@contoso.coml (@contoso.coml) ";

Where ldaps://gc1.contoso.com:636 is the full LDAP URL to company’s LDAP server, and where @contoso.com is a common part of all user names.

Note: The difference in this setting compared with KB2441205 is the LDAP URL is being changed to "ldaps" and port "636" which is required to establish a secure ldap connection.


15. Edit the file %FASTSEARCH%\adminserver\webapps\adminserver\WEB-INF\classes\esp4j-security-context.xml.


16. Change the loginContextname property to LDAP on the bean with id id="jaasAuthenticatorTarget".

Note: The property specifies which login context to use. Changing this setting to LDAP will activate the login context specified in WEB-INF\login.conf.

Example:
<bean id="jaasAuthenticatorTarget" class="no.fast.vespa.security.auth.JaasAuthenticator">
    <property name="loginConfig">
      <value>/WEB-INF/login.conf</value>
    </property>
    <property name="loginContextName">
      <value>LDAP</value>
    </property>
    <property name="callbackHandlers">
      <list>
        <bean class="net.sf.acegisecurity.providers.jaas.JaasNameCallbackHandler"/>
        <bean class="net.sf.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/>
      </list>
    </property>
</bean>

17.   Restart Adminserver:
nctrl stop adminserver
nctrl start adminserver

18. Login to the admin node and navigate to FAST Home > User Administration > Create Users & Groups.

19. Create a user with the same name as the Windows user that requires access rights to ESP.

20. Select “This user will be authenticated by an external management system”.

21. Give this user rights in ESP, for example, choose “may create and delete users and groups (admin)":

Note: If one chooses to authenticate a user by an external user management system, the User Name field must match the user login of the external user management system (AD User account in this case). It is not required to fill in the e-mail and password fields for users  authenticated through an external user management system.
22. Once these changes are made, one can log into the ESP admin console with mapped external accounts that are maintained in the Windows Domain.


More Information


Articles and utilities referenced in this Knowledge Base Article:

FAST ESP / Enable ESP Administrator to use Active Directory accounts for Authentication
http://support.microsoft.com/kb/2441205/en-us

Ldp Overview
http://technet.microsoft.com/en-us/library/cc772839(WS.10).aspx

Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
http://support.microsoft.com/kb/823659

Importing a Certificate for the CA
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html