WLS Will Not Connect To Active Directory On Port 636 (Doc ID 2195595.1)

Last updated on AUGUST 08, 2017

Applies to:

Oracle WebLogic Server - Version 12.1.3.0.0 and later
Information in this document applies to any platform.

Symptoms

On : 12.1.3.0.0 version, WLS Security

WLS server in production mode that will not connect to AD server on port 636. It will connect on 389 just fine, but not secure port on 636. There is a virtually identical Dev instance that will connect

The following works:

ldapsearch -x -LLL -H ldaps://host.domain.net -D REDACTED -w REDACTED -b"DC=domain,DC=net" -s sub "(objectClass=user)" sAMAccountName

This means the host can connect to the AD server just fine. WLS will not.

ERROR
-----------------------

The error is this:

<Sep 22, 2016 4:42:11 PM CDT> <Warning> <Security> <BEA-099117> <The LDAP authentication provider named "ADLDAP" failed to make connection to ldap server at ldaps://example.com:636, the error cause is: Connection timed out.>"

-- Note "example.com" is the literal name in the log.

When changing the Host to "FAKE.domain.net" and restarted the admin console, the error message changed to:

<Sep 22, 2016 4:34:07 PM CDT> <Warning> <Security> <BEA-099117> <The LDAP authentication provider named "ADLDAP" failed to make connection to ldap server at ldaps://FAKE.domain.net:636, the error cause is: FAKE.domain.net: unknown error.>

 

Changes

The first thought of why this is failing is because of SSL improperly set up for port 636 as it was working on 389.

Oracle Documentation to verify configuration:

Oracle WebLogic Server 12.1.3.0 Documentation > Administration Console Online Help > Active Directory Authentication Provider: Provider Specific
https://docs.oracle.com/cd/E57014_01/wls/WLACH/pagehelp/Securitysecurityauthenticatoractivedirectoryauthenticatorconfigproviderspecifictitle.html

Administering Security for Oracle WebLogic Server 12.1.3
14 Configuring LDAP Authentication Providers
https://docs.oracle.com/middleware/1213/wls/SECMG/ldap_atn.htm#SECMG175

See:
- Configuring the Certificate Lookup and Validation Framework
- Configuring the WebLogic Keystore Provider

Use the Configuration > SSL page of the WebLogic Server Administration Console to specify identity and trust options when using a file or a JKS keystore accessed via the WebLogic Keystore provider.

Administration Console Online Help > Configure keystores
https://docs.oracle.com/middleware/1213/wls/WLACH/taskhelp/security/ConfigureKeystoresAndSSL.html

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms