Troubleshooting LDAPS Authentication

May 3, 2016
|In Error Messages, LDAP
|By lydiaxie

Applies to: Ephesoft Transact 4.0.0.0 and above

Issue

LDAP authentication over SSL (LDAPS) fails due to “Invalid Credentials: Error code 49”. When the server tries to connect, the following error can be seen in the catalina.out log file:

javax.naming.CommunicationException: simple bind failed: [server name]:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Root Cause

There are a few reasons why this may occur:

  1. The credentials could be invalid.
  2. The port configured could be incorrect.
  3. The certificate could be invalid.

Before proceeding, ensure that your credentials are entered correctly and that you have configured the correct port. The solution below describes how to resolve an invalid certificate.

Prerequisites

Ensure your Ephesoft server is already set up and integrated with Active Directory using LDAP. Otherwise, refer to one of the following articles to configure Active Directory using the Global Catalog Service Port or using the Standard LDAP Service Port.

Solution

The certificate file should be installed in the JDK’s certificate store. Perform the following steps to enable LDAPS for the connection:

  1. Obtain the certificate file for the AD server to which you are trying to access. For detailed instructions, refer to the following Microsoft article: LDAP over SSL (LDAPS) Certificate.

Note: The following steps use the keytool application, located at [Ephesoft_Directory]\jdk\bin, to import the certificate. The keytool app can be run from the command line.

  1. Add the certificate file to the JDK truststore. By default, the JDK will use cacerts as its truststore, located at [Ephesoft_Directory]\jdk\jre\lib\security\cacerts. The default cacerts password is “changeit”.
    1. Open the command line.
    2. Use the following command to import your certificate:
keytool -keystore cacerts -import -trustcacerts -alias ad-myserver -file <certificate_file_name>
    1. Use the following command to list the installed certificates:
keytool -list -v -keystore cacerts
  1. Update the LDAP URL to use “ldaps://” instead of “ldap://”.
  2. Update the LDAP port to use port 636 instead of 389.

Note: Port 636 is the standard port used for an LDAPS connection. If you are connecting to the Active Directory Global Catalog on port 3268 with LDAP, you will need to change to port 3269 for LDAPS.

  1. Restart Ephesoft Transact.