HPE Community
HPE OneView
1753752 Members
5252 Online
108799 Solutions
New Discussion

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

 
Eriksen1
Advisor

‎06-17-2016 12:57 AM

‎06-17-2016 12:57 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

 Got it working today, at least partially.

 

Previous certificate: Domain Controller WK12k R2 template changed to use ECDH_P256 instead of RSA as the Cryptographic service Provider.

Trying to fetch certificate by not specifiying BASE-64: DOES NOT WORK, same error as earlier.

Specifying Personal Certificate of DC: DOES NOT WORK, says certificate "appears to be INVALID".

 

New certificate:

Domain Controller WK12k R2 template and all default settings, RSA as Cryptographic Service Provider.

Trying to fetch certificate by not specifiying BASE-64: DOES NOT WORK, same error as earlier.

Specifying Personal Certificate of DC: WORKS.

 

Could you try with a different CSA than RSA, e.g. ECDH_P256, Chris?

0 Kudos
Reply
Eriksen1
Advisor

‎06-21-2016 11:32 AM

‎06-21-2016 11:32 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Interesting finding: Using New-HPOVLdapServer, the certificate is fetched.

Still not possible with the UI in my environment.

0 Kudos
Reply
Eriksen1
Advisor

‎06-24-2016 03:33 AM

‎06-24-2016 03:33 AM

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

OK, most likely found the error.

 

HP OneView doesn't seem to support any other Cryptograhic Service Provider than RSA in certificates. When the chain is made up of Elliptical Curves (ECDH_P256) it will not recognize it. If just the personal certificate of the domain controller uses RSA, but the chain uses something else, e.g. ECDH_P256, you can add using BASE64, but not by fetching it automatically. RBAC will work, but it's a work-around.

 

This is something HP needs to address in a future OneView update!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.