Results 1 to 2 of 2

Thread: Cannot use LDAPS external authentication to AD domain controller

  1. #1
    Join Date
    Jun 2012
    Posts
    3
    Rep Power
    3

    Default Cannot use LDAPS external authentication to AD domain controller

    I am attempting to set up external LDAPS authentication against one of my AD domain controllers. LDAP (no SSL) works fine, but LDAPS gives me trouble. I first encountered an untrusted certificate error, but that was resolved by adding the CA certificate to the Java keystore. However, now I am getting another error...

    Code:
    javax.naming.CommunicationException: simple bind failed: mydc.my.domain:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment]
    	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:195)
    	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720)
    	at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:296)
    	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
    	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
    	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
    	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
    	at javax.naming.InitialContext.init(InitialContext.java:223)
    	at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)
    	at com.zimbra.cs.account.ldap.ZimbraLdapContext.ldapAuthenticate(ZimbraLdapContext.java:622)
    	at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthenticate(LdapUtil.java:94)
    	at com.zimbra.cs.account.ldap.Check.checkAuthConfig(Check.java:177)
    	at com.zimbra.cs.service.admin.CheckAuthConfig.handle(CheckAuthConfig.java:45)
    	at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:412)
    	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:287)
    	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:158)
    	at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:303)
    	at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:217)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
    	at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:206)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:814)
    	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
    	at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:79)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    	at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
    	at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
    	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:218)
    	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
    	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
    	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:422)
    	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
    	at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    	at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    	at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    	at org.mortbay.jetty.Server.handle(Server.java:326)
    	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:585)
    	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:988)
    	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
    	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
    	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:415)
    	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:429)
    	at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment
    	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
    	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
    	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
    	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
    	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
    	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:400)
    	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:373)
    	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:332)
    	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:190)
    	... 49 more
    Caused by: sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment
    	at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:247)
    	at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:124)
    	at sun.security.validator.Validator.validate(Validator.java:221)
    	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
    	... 62 more
    I'm not sure which machine is getting hung up on key encipherment. I tried reissuing the certificate for my DC to include key encipherment, but that made no difference. The only error I am getting on my Windows server (even with schannel logging cranked up all the way) is Schannel alert 46, which seems to be where Windows throws its hands up in confusion and says "I dunno". (RFC 5246 specifies error 46 as "certificate_unknown Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.")

    Do I need another certificate for my Zimbra server? LDAPS does not require a certificate for the client, but if it would help I can -- as long as someone tells me where I need to add the LDAPS client certificate. (Java keystore again?)

    Thanks for any help you can provide.

  2. #2
    Join Date
    Jun 2012
    Posts
    3
    Rep Power
    3

    Default

    In authenticating to other domains I've discovered that a Windows Server 2008 R2 CA (enterprise, not standalone) issues a domain controller certificate with a V3 Domain Controller template, and this setup works without further tinkering. I never needed to import a certificate to the Zimbra server. The CA I'm still having trouble with is standalone, so it's entirely possible I've missed something in that certificate. (However, the Key Usage of the problematic certificate matches the Key Usage of the working certificate. No idea what that's about.)

Similar Threads

  1. Replies: 1
    Last Post: 03-23-2011, 03:28 AM
  2. Replies: 4
    Last Post: 11-09-2010, 07:29 AM
  3. Replies: 0
    Last Post: 11-03-2008, 12:36 AM
  4. Zimbra Domain Controller Upgrade
    By Flancer in forum Installation
    Replies: 2
    Last Post: 06-18-2008, 01:06 AM
  5. External Authentication with Active Directory via LDAPS
    By merrill in forum Administrators
    Replies: 1
    Last Post: 10-21-2007, 02:13 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •