SSPR unable to connect to LDAP server when DNS name does not match the certificate subject name

  • 7023419
  • 02-Oct-2018
  • 27-May-2020


Self Service Password Reset
SSPR MSI and Appliance versions 4.4 
SSPR WAR file version  4.x  running Java v1.8u181 or later


Unable to connect to LDAP (eDir) server after update from SSPR 4.3 to 4.4.
Cannot bind to LDAP
Invalid Certificate error returned when replacing certificate 
Users receive the following error:

5017 ERROR_DIRECTORY_UNAVAILABLE (error connecting as proxy user: unable to create connection: unable to connect to any configured ldap url, last error: unable to bind to ldaps:// as cn=MySSPRProxy,o=MyContainer reason: CommunicationException (; No name matching found))

Deleting and reimporting the LDAP certificate does not help


Replace any non-conforming LDAP server certificates.  In other words, make sure the LDAP server certificate includes a DNS name in the subjectAltName field of the certificate  that matches the FQDN of the SSPR server,  for example,


For War File installations of SSPR or later:

1) Add the  following Java command line option to the file that defines JAVA_OPTS in your environment :

For Window MSI installations of SSPR 4.4 or later:

1) Right click SSPR Service Manager -> Stop SSPR-service

2) Right click SSPR Service Manager -> Tomcat Info…
    Click Java Tab
    Add the  following Java command to the Java Options: section
    Click OK

3) Right click SSPR Service Manager -> Start SSPR-service

Note: SSPR Service Manager is installed on Windows servers as part of the SSPR installation, and is launched automatically when Windows loads.  It appears as an icon in the task bar, as shown below:

For Appliance installations of  SSPR 4.4 or later:


/ssprConfig/java.vmoptions      (the /ssprConfig directory is at the root of the drive; i.e. where you land with cd /)

And add contents:


Restart appliance.


All Java versions 8u181 or greater have enabled LDAPS endpoint identification by default.

This security change will cause a connection failure for customers whose LDAP servers’ certificate does not properly contain a matching DNS name as part of the certificate, (i.e. If the customer’s LDAP certificates are not conforming to RFC 5280, Java will reject them by default).

Affected customers:
All 4.4. customers with non-conforming LDAP server certificates. or later customers using the War file with non-conforming LDAP server certificates.

Additional Information

Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
Define this system property (or set it to true) to disable endpoint identification algorithms.