HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Eriksen1
Advisor

Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Hi

 

I'm struggling to integrate my appliance with AD

 

Key facts:

- My domain controllers have Personal certificates and an issuing and root CA

- My appliance is licensed

- I have tried both with a custom certificate on the HP OneView appliance (with the issuing and root CA concatenated) and self-signed

 

The error:

- If I choose to not specify a certificate for a domain controller when adding a directory, I get this message as it's trying to fetch the certificate:

"The security certificate is not trusted because the certificate chain is invalid. Resolution: Correct the certificate chain in the host and try registering again. The intermediate or root CA will be trusted when accepting certificates.".

 

- If I try to specify the personal local computer certificate of the domain controller, I get one step further, but after passing domain user credentials, I get this error: 

"The certificate entered for server XXXXFQDN:636 does not appear to be a valid certificate. For assistance, contact your administrator".

 

 

How can I troubleshoot this further? My VMware appliances have no issues integrating with AD, fetching certificates and working with LDAPS.

12 REPLIES
ChrisLynchHPE
Neighborhood Moderator

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Welcome @Eriksen1 to the HPE OneView Community Forums.

I just tested on a brand new 2.00.07 appliance, and had no issues adding my Active Directory DC's and Directory to the appliance.  My primary DC is the Root CA, and do not have any subordinant or other issuing CA"s.  Have you verified that the certs have not expired, especially in the cert chain?  Can you look at the cert in the Certificates MMC snapin, and validate your Domain Controller certificate is being reported there that it is valid?

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Hi Chris,

 

Yeah, the domain controllers' certs and the chain is entirely valid for many years to come.

 

LDAPS/AD-integration works /perfectly/ with VMware vRealize Log Insight, vRealize Operations Manager, a mcafee product for device control, and also tested with LDP. In the same environment.

 

Perhaps OneView demands the certificates/chain to be in one certain way.

 

The problem seems to be that OneView doesn't spit out enough troubleshooting information and it's entirely locked down so that logs cannot be seen.  I know it's an appliance, but other vendors have taken a different approach and lets you log on as root for various purposes, such as troubleshooting, reset of passord und so weiter. This is HP's prerogative of course, but makes it more annoying for developers.

 

Thanks for replying in any case.

 

Perhaps a support case with the support bundle attached (which of course cannot be viewed by normal humans either) is prudent.

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

I tried PowerShell and New-HPOVLdapDirectory. I only get "New-ErrorRecord: Cannot bind argument to parameter "ErrorId" because it is an empty string."

 

With -verbose, I get the same as above, "the certificate entered for server blablaDC1:636 does not appear to be a valid certificate". AUTHN_LOGINDOMAIN_INVALID_CERTIFICATE.

 

The remote server returned an error (400) Bad Request.

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Been doing some wiresharking and the connection just stops after both parties have sent "Change Cipher Spec". Really impossible to troubleshoot further without looking at the OneView logs.

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

One thing I've been thinking about. Do the certificates need IP in the subject alternate name as well as FQDN? Ours only have FQDN, and maybe it's what OneView is whining about (but no other applications/appliances/services..).

 

I just successfully integrated a proliant server's iLO with AD/LDAPS and it had no problem.

 

I got a Warning when testing the directory though, which might be relevant: "Certificate subject Mismatch, verify Failed".

ChrisLynchHPE
Neighborhood Moderator

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

The Hostname value will need to match either the Subject or SAN value.  So, if you are using an IP Address and it's not in either field, you need to make sure the FQDN (if that is present) is used.

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

The SAN is the FQDN / hostname / common name.

 

I was wondering if IP is also needed though and/or the short name as well.

 

Since LDAPS is working with so many products in my environment, everything I've thrown at it besides HP OneView, I think it's some sort of fringe issue with the appliance.

 

iLO LDAPS AD-integration = OK

vRealize Opsmgr LDAPS AD-integration = OK

vRealize Log Insight LDAPS AD-integration = OK

LDP LDAPS connection = OK

McAfee product LDAPS AD-integration = OK

HP OneView = lol no ur certificate is invalid and I'm not gonna give you any debugging info beyond contacting "the administrator"

 

Regrettable I can't look at the logs or get any troubleshooting info at all beyond that it thinks something valid is invalid.

 

I will try recreating the certificate(s) tomorrow and adding more flesh to the SAN (FQDN + IP first, then FQDN + shortname + IP).

ChrisLynchHPE
Neighborhood Moderator

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

I can't speak for your other products.  They could very well be ignoring the SAN value, and maybe even the Subject to validate the cert against the hostname you provide.  What you have not told me yet was what value are you providing for the Directory Server Address.  Are you using an FQDN or IP?  Again, either will work.  I'm using the default Domain Controller Certificate Policy in my lab, and as stated had no issues adding my DC's to a 2.00.07 appliance.

The only way to look at log files is to open a support case and provide an Appliance Support Dump.

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

I've tested with every possible value. IP, shortname (e.g. DC1) and FQDN (e.g. DC1.local.dom).

 

I'll try setting up a fresh VM tomorrow and redo the certs.

 

If not we'll need to escalate to HP Support I guess.

 

Thanks for responding thus far Chris.

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

 Got it working today, at least partially.

 

Previous certificate: Domain Controller WK12k R2 template changed to use ECDH_P256 instead of RSA as the Cryptographic service Provider.

Trying to fetch certificate by not specifiying BASE-64: DOES NOT WORK, same error as earlier.

Specifying Personal Certificate of DC: DOES NOT WORK, says certificate "appears to be INVALID".

 

New certificate:

Domain Controller WK12k R2 template and all default settings, RSA as Cryptographic Service Provider.

Trying to fetch certificate by not specifiying BASE-64: DOES NOT WORK, same error as earlier.

Specifying Personal Certificate of DC: WORKS.

 

Could you try with a different CSA than RSA, e.g. ECDH_P256, Chris?

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

Interesting finding: Using New-HPOVLdapServer, the certificate is fetched.

Still not possible with the UI in my environment.

Eriksen1
Advisor

Re: Cannot integrate with Active Directory - HP OneView 2.00.07-0250853

OK, most likely found the error.

 

HP OneView doesn't seem to support any other Cryptograhic Service Provider than RSA in certificates. When the chain is made up of Elliptical Curves (ECDH_P256) it will not recognize it. If just the personal certificate of the domain controller uses RSA, but the chain uses something else, e.g. ECDH_P256, you can add using BASE64, but not by fetching it automatically. RBAC will work, but it's a work-around.

 

This is something HP needs to address in a future OneView update!