Authentication failures with Active Directory and LDAP referrals

  • 7007857
  • 09-Feb-2011
  • 28-Jun-2018

Environment

ZENworks Configuration Management 2017

Novell ZENworks 11 Configuration Management
Novell ZENworks 10 Configuration Management

Situation

ERROR:  (from zmd-messages.log)
 
[DEBUG] [02/08/2011 09:59:05.572] [332] [ZenworksWindowsService] [22] [] [CommonCasa] [] [ObtainAuthToken took exception: -939589605 System.Exception: -939589605
 
later versions (11.3 and later)

[DEBUG] [02/18/2015 17:44:22.163] [1572] [ZenworksWindowsService] [59] [] [ZenCasa] [] [ObtainSessionTokenFromServer returned with code 3355377696 ] [] [] [] [ZENworks Agent]

ERROR (ats.log on Auth server):

2015-02-25 12:16:02,127 WARN authtoksvc.PwdAuthenticate invoke()
- NamingException on Proxy User: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: 
salisbury.lan:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]ERROR: (from casaauthtoken.log):
 
LAN trace of traffic between ZENworks server and user source LDAP server (decrypted):
 
LDAP searchResEntry(4) "DC=DOMAIN,DC=COM" | searchResRef(4) | searchResRef(4) | searchResRef(4) | searchResDone(4) success  [1 result]
DNS Standard query A DOMAIN.COM
DNS Standard query A DomainDnsZones.DOMAIN.COM
DNS Standard query A ForestDnsZones.DOMAIN.COM
DNS Standard query response A [List of IP addresses for all Domain Servers]

Resolution

When the LDAP server returns referral references to the ZENworks server, the ZENworks server will follow the referrals.  If the referral list includes any LDAP servers that are not on the primary or satellite connection list, then ZENworks won't be able to resolve the server's certificate.  For clear text connections there can also be issues if any of the referrals are to servers without ldap enabled, outside the desired area etc.
 
  1. Preferred Solution:  Use containers rather than search from root if referrals are not configured properly.
    or if that is not possible:
  2. Preferred Solution:  Add all possible LDAP referral servers to ZENworks usersource connection list.  In 10.3.4 this is not necessary if the administrator prefers to populate the certificates using zman user-source-trustedcert-add (usta) (certificate alias) (certificate file path)
    Ensure that all referral servers returned by DNS are set up properly, have proper certificates with Server DN name in subject, and that all can respond to LDAP requests.  Don't allow referrals to inappropriate or non local LDAP servers. 
    Or:
  3. If any referrals include servers that are not resolvable or don't listen on LDAP ports then remove them from DNS for these names.
    Or:
  4. Place the DNS names of referrals (DOMAIN.COM, ForrestDNSZones.DOMAIN.COM etc.) to local hosts file on ZENworks server so that the DNS request won't be made, and the ZENworks server will resolve all referral names to just the single server.  Restart the ZENworks server service
    Or:
  5. Use catalog port if available.