- Community Home
- >
- Software
- >
- HPE OneView
- >
- Cannot integrate with Active Directory - HP OneVie...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2016 01:50 AM - edited 06-15-2016 01:51 AM
06-15-2016 01:50 AM - edited 06-15-2016 01:51 AM
Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
Hi
I'm struggling to integrate my appliance with AD
Key facts:
- My domain controllers have Personal certificates and an issuing and root CA
- My appliance is licensed
- I have tried both with a custom certificate on the HP OneView appliance (with the issuing and root CA concatenated) and self-signed
The error:
- If I choose to not specify a certificate for a domain controller when adding a directory, I get this message as it's trying to fetch the certificate:
"The security certificate is not trusted because the certificate chain is invalid. Resolution: Correct the certificate chain in the host and try registering again. The intermediate or root CA will be trusted when accepting certificates.".
- If I try to specify the personal local computer certificate of the domain controller, I get one step further, but after passing domain user credentials, I get this error:
"The certificate entered for server XXXXFQDN:636 does not appear to be a valid certificate. For assistance, contact your administrator".
How can I troubleshoot this further? My VMware appliances have no issues integrating with AD, fetching certificates and working with LDAPS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2016 01:34 PM
06-15-2016 01:34 PM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
Welcome @Eriksen1 to the HPE OneView Community Forums.
I just tested on a brand new 2.00.07 appliance, and had no issues adding my Active Directory DC's and Directory to the appliance. My primary DC is the Root CA, and do not have any subordinant or other issuing CA"s. Have you verified that the certs have not expired, especially in the cert chain? Can you look at the cert in the Certificates MMC snapin, and validate your Domain Controller certificate is being reported there that it is valid?
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2016 11:15 PM
06-15-2016 11:15 PM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
Hi Chris,
Yeah, the domain controllers' certs and the chain is entirely valid for many years to come.
LDAPS/AD-integration works /perfectly/ with VMware vRealize Log Insight, vRealize Operations Manager, a mcafee product for device control, and also tested with LDP. In the same environment.
Perhaps OneView demands the certificates/chain to be in one certain way.
The problem seems to be that OneView doesn't spit out enough troubleshooting information and it's entirely locked down so that logs cannot be seen. I know it's an appliance, but other vendors have taken a different approach and lets you log on as root for various purposes, such as troubleshooting, reset of passord und so weiter. This is HP's prerogative of course, but makes it more annoying for developers.
Thanks for replying in any case.
Perhaps a support case with the support bundle attached (which of course cannot be viewed by normal humans either) is prudent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 02:32 AM - edited 06-16-2016 02:50 AM
06-16-2016 02:32 AM - edited 06-16-2016 02:50 AM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
I tried PowerShell and New-HPOVLdapDirectory. I only get "New-ErrorRecord: Cannot bind argument to parameter "ErrorId" because it is an empty string."
With -verbose, I get the same as above, "the certificate entered for server blablaDC1:636 does not appear to be a valid certificate". AUTHN_LOGINDOMAIN_INVALID_CERTIFICATE.
The remote server returned an error (400) Bad Request.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 05:28 AM
06-16-2016 05:28 AM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
Been doing some wiresharking and the connection just stops after both parties have sent "Change Cipher Spec". Really impossible to troubleshoot further without looking at the OneView logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 09:11 AM - edited 06-16-2016 09:12 AM
06-16-2016 09:11 AM - edited 06-16-2016 09:12 AM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
One thing I've been thinking about. Do the certificates need IP in the subject alternate name as well as FQDN? Ours only have FQDN, and maybe it's what OneView is whining about (but no other applications/appliances/services..).
I just successfully integrated a proliant server's iLO with AD/LDAPS and it had no problem.
I got a Warning when testing the directory though, which might be relevant: "Certificate subject Mismatch, verify Failed".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 10:12 AM
06-16-2016 10:12 AM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
The Hostname value will need to match either the Subject or SAN value. So, if you are using an IP Address and it's not in either field, you need to make sure the FQDN (if that is present) is used.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 11:40 AM
06-16-2016 11:40 AM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
The SAN is the FQDN / hostname / common name.
I was wondering if IP is also needed though and/or the short name as well.
Since LDAPS is working with so many products in my environment, everything I've thrown at it besides HP OneView, I think it's some sort of fringe issue with the appliance.
iLO LDAPS AD-integration = OK
vRealize Opsmgr LDAPS AD-integration = OK
vRealize Log Insight LDAPS AD-integration = OK
LDP LDAPS connection = OK
McAfee product LDAPS AD-integration = OK
HP OneView = lol no ur certificate is invalid and I'm not gonna give you any debugging info beyond contacting "the administrator"
Regrettable I can't look at the logs or get any troubleshooting info at all beyond that it thinks something valid is invalid.
I will try recreating the certificate(s) tomorrow and adding more flesh to the SAN (FQDN + IP first, then FQDN + shortname + IP).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 11:44 AM
06-16-2016 11:44 AM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
I can't speak for your other products. They could very well be ignoring the SAN value, and maybe even the Subject to validate the cert against the hostname you provide. What you have not told me yet was what value are you providing for the Directory Server Address. Are you using an FQDN or IP? Again, either will work. I'm using the default Domain Controller Certificate Policy in my lab, and as stated had no issues adding my DC's to a 2.00.07 appliance.
The only way to look at log files is to open a support case and provide an Appliance Support Dump.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2016 11:56 AM
06-16-2016 11:56 AM
Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853
I've tested with every possible value. IP, shortname (e.g. DC1) and FQDN (e.g. DC1.local.dom).
I'll try setting up a fresh VM tomorrow and redo the certs.
If not we'll need to escalate to HP Support I guess.
Thanks for responding thus far Chris.