Jump to content


Photo

LDAPS issue Netscaler 10.5

Started by Campbell Kay , 12 September 2017 - 09:47 PM
2 replies to this topic

Campbell Kay Members

Campbell Kay
  • 62 posts

Posted 12 September 2017 - 09:47 PM

Hi Guys,

 

i have setup LDAPs just having issues getting it connected.

 

i have unticked the Validate LDAP Server certificate,

 

when i review the  aaad.debug log, i get the follow errors which look certificate related.

 

 

 /home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2864]: register_timer setting timer 240747
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2933]: unregister_timer releasing timer 240747
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/ldap_common.c[703]: ns_ldap_set_up_socket Server certificate host                                                                                 name = NULL
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/ldap_common.c[711]: ns_ldap_set_up_socket Setting timeouts for SS                                                                                 L/TLS.
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/ldap_common.c[744]: ns_ldap_set_up_socket Set cert verify level 0
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/ldap_common.c[761]: ns_ldap_set_up_socket setting up for SSL conn                                                                                 ection to : X.X.X.X:636
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/ldap_common.c[773]: ns_ldap_set_up_socket ldap_start_tls_s :Conne                                                                                 ct error
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2203]: send_reject_with_code Rejecting with error code 40                                                                                 05
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2230]: send_reject_with_code Not trying cascade again
Wed Sep 13 09:34:23 2017
 /home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2232]: send_reject_with_code sending reject to kernel for                                                                                  : test.user
Wed Sep 13 09:34:30 2017
 /home/build/rs_105/usr.src/netscaler/aaad/naaad.c[1707]: set_conf_list set ldap config for 'CITRIX_LDAP_po                                                                                 l'
Wed Sep 13 09:34:30 2017
 /home/build/rs_105/usr.src/netscaler/aaad/naaad.c[1826]: print_all_conf all known auth configs

 

 

am i missing something, did i need to install a certificate from my DC into the netscaler? 

 

 

 



Carl Stalhood CTP Member

Carl Stalhood
  • 12,283 posts

Posted 13 September 2017 - 12:25 PM

Is X.X.X.X:636 a domain controller? Does the domain controller have certificate on it? You can use ldp.exe to verify the connection on TCP 636 and SSL checked.



Campbell Kay Members

Campbell Kay
  • 62 posts

Posted 13 September 2017 - 11:56 PM

Hi Carl,

 

i have figured this out now.

 

i had to create a self assigned certificate for my domain controller, i just followed this page.

 

https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/new-selfsignedcertificate

 

all works fine now.

Thank you.