DCO 8.2.12 - Active Directory authentication is not working after upgrade

DCIM_Support · ‎2020-07-05

Hi,

I upgraded APC StruxureWare Operation to latest version 8.2.12

I did a clean install and imported backup from old version 8.2.2

Now Active Directory Authentication is not working.

I am able to login with a local user into web interface but I cannot create/modify the authentication servers' setting. There is one expired certificate in the store but I cannot delete it.

When I create new auth server it drops the following:

DCIM_Support · ‎2020-07-05

I followed below documentation:

http://sxwhelpcenter.ecostruxureit.com/display/public/UADCO8x/Setup+an+AD+%28Active+Directory%29+Ser...

But it did not help.

I just restarted the operation service but now it is completely down. It says:

Essential services are not running on this node. Please reboot the node and monitor the status page.
If the problem persists, contact support. (jboss)

DCIM_Support · ‎2020-07-05

Hi Mate,

Can you please provide the following data:

server logs from 8.2.12 server

the 8.2.2 backup file, that you've used to restore on 8.2.12

You've mentioned "There is one expired certificate in the store but I cannot delete it." Can you please added some description/screen captures illustrating the issue.

Concerning the Authentication server settings error, when do you see the error? when you are entering/typing data in certain filed?

You've mentioned that you have "restarted the operation service", how? and wondering why it needed to be restarted?

Have you tried to reboot the server? and did it help?

I will send you an invite to my =S= box folder soon, so the data can safely be shared with me, thanks.

Kind regards

DCIM_Support · ‎2020-07-05

Hi Jef,

I uploaded couple of log, backup and screenshot files. I started upgrade on 01/12/2018, so I used "Daily_2018-12-01_02.30.tar.gz" to import into 8.2.12.

Concerning the Authentication server settings error, when do you see the error? when you are entering/typing data in certain filed?

When I try to save the auth server settings.

You've mentioned that you have "restarted the operation service", how? and wondering why it needed to be restarted?

In Webmin at StruxureWare DC Operation > Setup I just inserted internal NTP servers which required service restart.

Have you tried to reboot the server? and did it help?

Yes, couple of times, did not resolve the issue.

Right now the situation is that AD auth is working but without SSL. However I get quite frequently errors so I would say it is unstable:

Unable to authenticate. The client will restart.

Your permission have changed. The application will restart in order for the changes to take affect.

From the other hand I guess something broken in the certificate store. When I would like to see and click on "Show" or "Delete" expired certificates then the whole page going to grey and nothing happens.

Let me know if you need more details and as always I open for a WebEx session where I can present.

Thank you.

DCIM_Support · ‎2020-07-05

Hi Mate,

Thanks, I will look into the data and will get back to you as soon as possible.

Kind regards

DCIM_Support · ‎2020-07-05

Hi Mate,

Thanks for the data, here's what I found out.

Concerning the authentication server settings error notification: seems to be certificate related error with the root exception java.security.cert.CertificateException.

According to the provide backup file, it seems you have managed to update the certificate on that AD server.

So the option for ssl connection/configuration is/was certificate related.

And you've mentioned now it is working without ssl. However, server logs contain error connecting to LDAP server entries:

"Failure to perform user authentication; detailed message is "Error connecting to LDAP server, connection timeout for ldap://xxx".

That may explain why the communication between the client(s) and server could be interrupted/broken. And therefore you/user may see the Authentication error, saying "Unable to authenticate. The client will restart".

Kind regards

DCIM_Support · ‎2020-07-05

Hi Jef,

Thank you for the investigation. First of all there was no any change on our environment which can explain why you see in the logs "Error connecting to LDAP server, connection timeout for ldap://xxx"."

Here is my biggest concern: I am completely unable to manage the Certificates in DCO. It means when I wanted to delete an expired one I got a grayed out screen. Moreover if I want to check and click on Show button (on a working, valid certificate) I again got the same grayed out screen. That is the reason why I think there is an internal problem with DCO certificate store.

I updated "certification_window_freeze.png" which shows the issue - however not so informative and spectacular.

And another thing: I am using the same authentication server in DCE - without SSL and without any problem.

But in DCO the same auth server without SSL is also dropping authentication failure issue.

DCO and DCE is running on the same vmWare cluster so the conclusion is pretty logical: should not be an issue with the authentication server.

Please help me to fix the problem with DCO AD authentication.

Regards,

Mate

DCIM_Support · ‎2020-07-05

Hi Mate,

I will contact you soon so we can see the issue being illustrated on a shared screen, thanks.

Kind regards

DCIM_Support · ‎2020-07-05

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.