HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

OneView Issue with Active Directory Authentication and Certificate Expiration

Simon-Heather
Occasional Contributor

OneView Issue with Active Directory Authentication and Certificate Expiration

I've just hit an issue using Active Directory (LDAPS) Authentication and OneView v1.20

 

I had previously configured OneView to use Active Directory for authentication, which was all working fine until this morning, whereby I couldn't authenticate any more with any AD credentials.

 

Investigating further, I discovered that the LDAPS certificates on our AD servers had automatically been renewed (they seem to default to a year of validity), and therefore the directory server certificates used by OneView were not valid anymore. Logging on to OneView with a local admin user and replacing the directory certificates with the new ones fixed the issue.

The error message I was getting when trying to authenticate was the normal "Invalid username or password" one, not giving me any clue that the certificate had expired.

 

Can I therefore suggest a few OneView enhancements in this area:

 

1) If using directory authentication and the certificate is no longer valid, produce a logon error that says that.
2) Make the LDAPS certificate verification non-mandatory, the same as the Enclosure Onboard Administrator does, to give the administrator the choice of whether to use it or not.
3) Display decoded certificate information within OneView, the same as the Enclosure Onboard Administrator does, to make tracing this type of issue easier.
4) Maybe even a helpful warning message from OneView that the directory certificates are approaching their expiry date?

1 REPLY
ChrisLynchHPE
Neighborhood Moderator

Re: OneView Issue with Active Directory Authentication and Certificate Expiration

Thank you for your feedback.  This information certainly goes towards improving the HP OneView product and experience.