Error "Unable to validate active directory credentials" while configuring Active directory in Aria Operations for Logs
Article ID: 324156
Updated On: 02-12-2025
Products
VMware Aria Suite
Issue/Introduction
The purpose of this article is to provide steps that will help configure Active Directory where there is an issue with ciphers.
Symptoms:
- Performing Test Connection fails with this error:
Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password - In the /storage/core/loginsight/var/ui_runtime.log file, you see entries similar to:
[User login failure: Authentication error com.vmware.loginsight.commons.exceptions.AuthenticationException: Invalid or untrusted domain 'domain-name.com'.] [Exception caught by PIExceptionHandler] org.apache.catalina.connector.ClientAbortException: java.io.EOFException: The client aborted the connection [Submit form response {"succ":false,"validationErrors":[{"message":"Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password.","detailMessage":"AuthenticationException: Invalid or untrusted domain 'domain-name.com'
Environment
VMware Aria Operations for Logs 8.12.x
VMware vRealize Log Insight 8.x
VMware vRealize Log Insight 8.x
VMware Aria Operations for Logs 8.x
Cause
The below required ciphers were added to the disabled algorithm list
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256
In addition to that, the required cipher properties were not included in the /usr/lib/loginsight/application/etc/3rd_config/server.xml file.
Resolution
Note: Take snapshot before making changes
1. Open ssh session as root to the primary node.
2. Modify the "java.security" file on the node:
4. Locate the line which starts with: jdk.tls.disabledAlgorithms and change the entry
From:
6. Locate the below line:
1. Open ssh session as root to the primary node.
2. Modify the "java.security" file on the node:
Note : For Aria Operations for Logs versions 8.12 and earlier, the
java.security file is located at /usr/java/jre-vmware/lib/security/java.security. And for Aria Operations for Logs 8.14 and above the path is "/usr/java/jre-vmware/conf/security/java.security".
4. Locate the line which starts with: jdk.tls.disabledAlgorithms and change the entry
From:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH, DHE, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, RSA keySize < 512, DESede, TLSv1, TLSv1.1, \
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256To:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH, DHE, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, RSA keySize < 512, DESede, TLSv1, TLSv1.1, \
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA2565. Modify the
/usr/lib/loginsight/application/etc/3rd_config/server.xml file6. Locate the below line:
<Connector port="XX_STRATA_HTTPS_PORT_XX" maxHttpHeaderSize="65536" protocol="XX_STRATA_PROTOCOL_XX" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" URIEncoding="UTF-8" compression="off"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384"
compressableMimeType ="text/html,text/xml,text/plain,text/css,text/javascript,application/json"
keystoreFile="XX_STRATA_KEYSTORE_XX" keystorePass="XX_STRATA_KEYSTORE_PASSWORD_XX"
keystoreType="XX_STRATA_KEYSTORE_TYPE_XX" algorithm="XX_STRATA_ALGORITHM_XX"
keyAlias="XX_STRATA_KEYSTORE_ALIAS_XX" maxKeepAliveRequests="50" /> Change the ciphers property :
From:
From:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384To:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA3847. Restart Loginsight service with the command
systemctl restart loginsight8. Repeat for each node in the cluster
9 . Configure the Authentication Configuration Active Directory again and test the connection
9 . Configure the Authentication Configuration Active Directory again and test the connection
Feedback
Was this article helpful?
Yes
No
Powered by
