Can't create Printer Driver Profile, authentication failure

  • 7001934
  • 19-Nov-2008
  • 26-Apr-2012

Environment

iManager
Novell NetWare 6.5 Support Pack 2
iPrint

Situation

Can't create Printer Driver Profile, authentication failure
Printer Driver Profile prompts for authentication
Error: "Printer Authentication Failed.  Do you want to try again?" after attempting to authenticate to create a Printer Driver Profile.
Can't login to create a Printer Driver Profile
Can't create Printer Driver Profile, authentication failure

Resolution

Export a new Self-signed certificate from the Certificate Authority object and copy it to SYS:\public\ROOTCERT.DER then restart apache and tomcat.

Step1: Take a DSTRACE of the LDAP operations to check if any LDAP errors are being experienced.
Step2: Test if LDAP over port 636 is working.
Step3: Copy new Self-signed certificate from the CA to SYS:\PUBLIC\ROOTCERT.DER and restart apache and tomcat.
Step4: Perform action in iManager to create Printer Driver Profile again.

Please note : Step1 and Step2 are for completeness of this TID and although are not required, should be performed to ensure that you are seeing the same LDAP error as described below.

Step1:  Take a DSTRACE of the LDAP operations to check if any LDAP errors are being experienced.
a) Type DSTRACE ON at the NetWare console to load the dstrace nlm.
b) Type DSTRACE again at the NetWare console to display a list of available options.
c) Type DSTRACE -ALL to turn off all other filters (you need the latest versions of dstrace for this feature to work; earlier versions may need DSTRACE CLEAR ALL).
d) Type DSTRACE +LDAP +TAGS +TIME to turn on the LDAP filter which allows display of LDAP messages.
e) To trace to a file, type DSTRACE FILE ON, it might be worth deleting this file before you start.
f) Configure which options will be traced by launching ConsoleOne (preferably version 1.2d or later; the snapins are modified in these versions). Go to the properties of the LDAP server object. Switch to the tab labeled "Screen Options." Enable all trace options except for Packet Dump or Decoding. This tab allows you to choose which items are traced once DSTRACE has been enabled. This will enable DSTRACE to show the queried posed by the client, the authentication mechanism, and the results of the query.
g) Be aware that DSTrace causes the server to take a big hit in performance; turn it off once testing is completed.
h) Perform the action that results in the authentication failure
i) Stop the trace to the file, type DSTRACE FILE OFF.
j) View SYS:\SYSTEM\DSTRACE.LOG for errors/

In this instance, the following error was reported in DSTRACE :
LDAP: [2004/12/16 21:08:35] New TLS connection 0x7fbbf8c0 from 10.36.104.250:47955, monitor = 0x28e, index = 4
LDAP: [2004/12/16 21:08:35] Monitor 0x28e initiating TLS handshake on connection 0x7fbbf8c0
LDAP: [2004/12/16 21:08:35] (10.36.104.250:47955)(0x0000:0x00) DoTLSHandshake on connection 0x7fbbf8c0
LDAP: [2004/12/16 21:08:35] (10.36.104.250:47955)(0x0000:0x00) TLS accept failure 1 on connection 0x7fbbf8c0, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2004/12/16 21:08:35] (10.36.104.250:47955)(0x0000:0x00) TLS handshake failed on connection 0x7fbbf8c0, err = -5875
LDAP: [2004/12/16 21:08:35] Server closing connection 0x7fbbf8c0, socket error = -5875
LDAP: [2004/12/16 21:08:35] Connection 0x7fbbf8c0 closed

It's because of the "alert bad certificate" above that Step2 was followed

Step2: Test LDAP over port 636 is working
1. Export the trusted root certificate from ConsoleOne.
a. Open the "LDAP Server" object and choose the "SSL Configuration" tab.
b. Note the object listed in the SSL Certificate dialog box and then open that object from ConsoleOne.
c. Choose "Trusted Root Certificate" in the "Certificates" tab for this object.
d Do not export the private key.
e Export the file in DER format; name it c:\RootCert.der.

Or

1a. Export the Self Signed Certificate from ConsoleOne.
a. Open CA object in O=Security
b. Select Certificates -> Self Signed Certificate
c. Do not export the private key.
d. Export the file in DER format; name it c:\RootCert.der

2. Start the NDS Import/Export... utility from the ConsoleOne Wizards menu
a. Select 'Export LDIF File' and hit 'Next'
b. Enter the DNS or IP address of your LDAP server
c. Enter 636 for the port number
d. Enter c:\RootCert.der for the der file
e. Select 'Authenticated Login'
f. Enter the user name and password.  Hit 'Next'.
g. Enter the Base DN.  Choose your top level organization object, e.g. o=novell .
h. Select 'Base' for the scope.  Hit 'Next'.
i. Enter c:\test.ldif for the Destination LDIF file.  Hit 'Next'.
j. Click 'Finish' to start the test.

3. Verify the results.
a. One entry should be returned - the top level organization object.
b. Zero errors should be reported.
c. Check that the organization object information is in the c:\test.ldif file.

Step3: Copy new Self-signed certificate from the CA to SYS:\PUBLIC\ROOTCERT.DER and restart apache and tomcat.
You can use the file created in Step2 above and just rename it to ROOTCERT.DER and copy it to SYS:\PUBLIC

Please allow a few minutes after each of these commands before typing in the next as it takes some time to clean up all of the resources.
Stop Apache : ap2webdn.ncf
Start Apache : ap2webup.ncf
Stop Tomcat : tc4stop.ncf
Start Tomcat : tomcat4.ncf

A restart of the server may also be required to ensure everything loads again properly.
TCKEYGEN.NCF may be required if Tomcat fails to start.

TID 10090732 covers how to check if apache / tomcat are running properly on your server.

.
Workaround:

If  there are multiple iPrint servers in the tree and printer profile drivers can be created successful on one server, but not on another, you can workaround whatever is causing the ldap failure by pointing to a known good server for the LDAP authentication  as follows:
1. On the failing server, open the ipp.conf file found in sys:\apache2\iprint
2. Edit the AuthLDAPurl value to point to a server that works.  Edit just the server name portion of the string to include the dns name or ip address of the desired server.
3. Restart apache

This will redirect  iPrint to the "good" server for authentication.  After the athentication succeeds, profile creation will proceed normally.

Additional Information

There is a problem with the SYS:\PUBLIC\ROOTCERT.DER certificate on the LDAP server.

The same authentication failure message can be returned for other reasons. See TID 3110036 - Message: "Printer authentication failed. Do you want to try again?" for more information.


Formerly known as TID# 10094791

Change Log

2008-11-19 - Ray Dassen - Import. Updated TID link: 10088627 -> 3110036