HPE Community
HPE OneView
1752567 Members
5074 Online
108788 Solutions
New Discussion

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

 
Eriksen1
Advisor

‎06-15-2016 01:50 AM - edited ‎06-15-2016 01:51 AM

‎06-15-2016 01:50 AM - edited ‎06-15-2016 01:51 AM

Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Hi

 

I'm struggling to integrate my appliance with AD

 

Key facts:

- My domain controllers have Personal certificates and an issuing and root CA

- My appliance is licensed

- I have tried both with a custom certificate on the HP OneView appliance (with the issuing and root CA concatenated) and self-signed

 

The error:

- If I choose to not specify a certificate for a domain controller when adding a directory, I get this message as it's trying to fetch the certificate:

"The security certificate is not trusted because the certificate chain is invalid. Resolution: Correct the certificate chain in the host and try registering again. The intermediate or root CA will be trusted when accepting certificates.".

 

- If I try to specify the personal local computer certificate of the domain controller, I get one step further, but after passing domain user credentials, I get this error: 

"The certificate entered for server XXXXFQDN:636 does not appear to be a valid certificate. For assistance, contact your administrator".

 

 

How can I troubleshoot this further? My VMware appliances have no issues integrating with AD, fetching certificates and working with LDAPS.

0 Kudos
Reply
12 REPLIES 12
ChrisLynch
HPE Pro

‎06-15-2016 01:34 PM

‎06-15-2016 01:34 PM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Welcome @Eriksen1 to the HPE OneView Community Forums.

I just tested on a brand new 2.00.07 appliance, and had no issues adding my Active Directory DC's and Directory to the appliance.  My primary DC is the Root CA, and do not have any subordinant or other issuing CA"s.  Have you verified that the certs have not expired, especially in the cert chain?  Can you look at the cert in the Certificates MMC snapin, and validate your Domain Controller certificate is being reported there that it is valid?


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Eriksen1
Advisor

‎06-15-2016 11:15 PM

‎06-15-2016 11:15 PM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Hi Chris,

 

Yeah, the domain controllers' certs and the chain is entirely valid for many years to come.

 

LDAPS/AD-integration works /perfectly/ with VMware vRealize Log Insight, vRealize Operations Manager, a mcafee product for device control, and also tested with LDP. In the same environment.

 

Perhaps OneView demands the certificates/chain to be in one certain way.

 

The problem seems to be that OneView doesn't spit out enough troubleshooting information and it's entirely locked down so that logs cannot be seen.  I know it's an appliance, but other vendors have taken a different approach and lets you log on as root for various purposes, such as troubleshooting, reset of passord und so weiter. This is HP's prerogative of course, but makes it more annoying for developers.

 

Thanks for replying in any case.

 

Perhaps a support case with the support bundle attached (which of course cannot be viewed by normal humans either) is prudent.

0 Kudos
Reply
Eriksen1
Advisor

‎06-16-2016 02:32 AM - edited ‎06-16-2016 02:50 AM

‎06-16-2016 02:32 AM - edited ‎06-16-2016 02:50 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

I tried PowerShell and New-HPOVLdapDirectory. I only get "New-ErrorRecord: Cannot bind argument to parameter "ErrorId" because it is an empty string."

 

With -verbose, I get the same as above, "the certificate entered for server blablaDC1:636 does not appear to be a valid certificate". AUTHN_LOGINDOMAIN_INVALID_CERTIFICATE.

 

The remote server returned an error (400) Bad Request.

0 Kudos
Reply
Eriksen1
Advisor

‎06-16-2016 05:28 AM

‎06-16-2016 05:28 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Been doing some wiresharking and the connection just stops after both parties have sent "Change Cipher Spec". Really impossible to troubleshoot further without looking at the OneView logs.

0 Kudos
Reply
Eriksen1
Advisor

‎06-16-2016 09:11 AM - edited ‎06-16-2016 09:12 AM

‎06-16-2016 09:11 AM - edited ‎06-16-2016 09:12 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

One thing I've been thinking about. Do the certificates need IP in the subject alternate name as well as FQDN? Ours only have FQDN, and maybe it's what OneView is whining about (but no other applications/appliances/services..).

 

I just successfully integrated a proliant server's iLO with AD/LDAPS and it had no problem.

 

I got a Warning when testing the directory though, which might be relevant: "Certificate subject Mismatch, verify Failed".

0 Kudos
Reply
ChrisLynch
HPE Pro

‎06-16-2016 10:12 AM

‎06-16-2016 10:12 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

The Hostname value will need to match either the Subject or SAN value.  So, if you are using an IP Address and it's not in either field, you need to make sure the FQDN (if that is present) is used.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Eriksen1
Advisor

‎06-16-2016 11:40 AM

‎06-16-2016 11:40 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

The SAN is the FQDN / hostname / common name.

 

I was wondering if IP is also needed though and/or the short name as well.

 

Since LDAPS is working with so many products in my environment, everything I've thrown at it besides HP OneView, I think it's some sort of fringe issue with the appliance.

 

iLO LDAPS AD-integration = OK

vRealize Opsmgr LDAPS AD-integration = OK

vRealize Log Insight LDAPS AD-integration = OK

LDP LDAPS connection = OK

McAfee product LDAPS AD-integration = OK

HP OneView = lol no ur certificate is invalid and I'm not gonna give you any debugging info beyond contacting "the administrator"

 

Regrettable I can't look at the logs or get any troubleshooting info at all beyond that it thinks something valid is invalid.

 

I will try recreating the certificate(s) tomorrow and adding more flesh to the SAN (FQDN + IP first, then FQDN + shortname + IP).

0 Kudos
Reply
ChrisLynch
HPE Pro

‎06-16-2016 11:44 AM

‎06-16-2016 11:44 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

I can't speak for your other products.  They could very well be ignoring the SAN value, and maybe even the Subject to validate the cert against the hostname you provide.  What you have not told me yet was what value are you providing for the Directory Server Address.  Are you using an FQDN or IP?  Again, either will work.  I'm using the default Domain Controller Certificate Policy in my lab, and as stated had no issues adding my DC's to a 2.00.07 appliance.

The only way to look at log files is to open a support case and provide an Appliance Support Dump.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Eriksen1
Advisor

‎06-16-2016 11:56 AM

‎06-16-2016 11:56 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

I've tested with every possible value. IP, shortname (e.g. DC1) and FQDN (e.g. DC1.local.dom).

 

I'll try setting up a fresh VM tomorrow and redo the certs.

 

If not we'll need to escalate to HP Support I guess.

 

Thanks for responding thus far Chris.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.