Why suddenly Policy Server permanently fails to connect to AD user/policy store via LDAPS connection?

book

Article ID: 36202

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue/Problem/Symptom:

Policy Server was connecting to Active Directory via secure channel as a Policy Store or a User Store.

It had been working fine but suddenly it has permanently lost connection to AD.

Connecting via LDAP(without SSL) works but that blocks users from changing their password.

 

Environment:

Policy Server: R12.52SP1 (Not limited to specific version or OS)

Active Directory: Windows Server 2008 (R2) or Windows Server 2012 (R2)

 

Cause:

Active Directory Certificate was silently updated with wrong certificate template(Domain Controller Authentication Template) resulting in a Certificate that lacks CN value.

Netscape LDAP SDK used in Policy Server for "LDAP" namespace requires CN(Subject Name) field of certificate and this fails.

* Certificate AutoRenew kicks in 6 weeks before expiry

 

Resolution:

Issue a new certificate using "Domain Controller" template.

* This issue does not occur when using AD namespace.

 

Additional Information:

[Domain Controller Template]

You can see here that the SUBJECT NAME will be sourced from the information available in the Active Directory.

<Please see attached file for image>

 

[Domain Controller Authentication Template]

You can see here that the SUBJECT NAME is "None" by default.

And it is adding "ALTERNATE SUBJECT NAME" using DNS name.

<Please see attached file for image>

Following screenshot will explain the template used for the initial Active Directory was from "Domain Controller" template.

And it also shows that the SUBJECT has a value of TESTMC1.ssl.lab.

<Please see attached file for image>

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Attachments

1558722270412000036202_sktwi1f5rjvs16we8.jpeg get_app
1558722268504000036202_sktwi1f5rjvs16we7.jpeg get_app
1558722266489000036202_sktwi1f5rjvs16we6.jpeg get_app