WLS Cannot Connect to Active Directory on Port 636 - Attempts to Connect on an Example Domain
(Doc ID 2195595.1)
Last updated on OCTOBER 02, 2024
Applies to:
Oracle WebLogic Server - Version 12.1.3.0.0 and laterInformation in this document applies to any platform.
Symptoms
On : 12.1.3.0.0 version, WLS Security
WLS server in production mode that will not connect to AD server on port 636. It will connect on 389 just fine, but not secure port on 636. There is a virtually identical Dev instance that will connect
The following works:
ldapsearch -x -LLL -H ldaps://host.domain.net -D REDACTED -w REDACTED -b"DC=domain,DC=net" -s sub "(objectClass=user)" sAMAccountName
This means the host can connect to the AD server just fine. WLS will not.
ERROR
-----------------------
The error is this:
<Sep 22, 2016 4:42:11 PM CDT> <Warning> <Security> <BEA-099117> <The LDAP authentication provider named "ADLDAP" failed to make connection to ldap server at ldaps://example.com:636, the error cause is: Connection timed out.>"
-- Note "example.com" is the literal name in the log.
When changing the Host to "FAKE.domain.net" and restarted the admin console, the error message changed to:
<Sep 22, 2016 4:34:07 PM CDT> <Warning> <Security> <BEA-099117> <The LDAP authentication provider named "ADLDAP" failed to make connection to ldap server at ldaps://FAKE.domain.net:636, the error cause is: FAKE.domain.net: unknown error.>
Changes
The first thought of why this is failing is because of SSL improperly set up for port 636 as it was working on 389.
Oracle Documentation to verify configuration:
Oracle WebLogic Server 12.1.3.0 Documentation > Administration Console Online Help > Active Directory Authentication Provider: Provider Specific
https://docs.oracle.com/cd/E57014_01/wls/WLACH/pagehelp/Securitysecurityauthenticatoractivedirectoryauthenticatorconfigproviderspecifictitle.html
Administering Security for Oracle WebLogic Server 12.1.3
14 Configuring LDAP Authentication Providers
https://docs.oracle.com/middleware/1213/wls/SECMG/ldap_atn.htm#SECMG175
See:
- Configuring the Certificate Lookup and Validation Framework
- Configuring the WebLogic Keystore Provider
Use the Configuration > SSL page of the WebLogic Server Administration Console to specify identity and trust options when using a file or a JKS keystore accessed via the WebLogic Keystore provider.
Administration Console Online Help > Configure keystores
https://docs.oracle.com/middleware/1213/wls/WLACH/taskhelp/security/ConfigureKeystoresAndSSL.html
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |