[midPoint] Self-signed SSL certificate problem with exchange connector

Ващенков Алексей a.vashchenkov at solarsecurity.ru
Wed Jun 24 15:55:24 CEST 2015 

On test stand we use our “MEGA-ADMIN” :)
Yes this user in Organisation Management group. You can see it at the screenshot in previous message.

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Wednesday, June 24, 2015 4:44 PM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Self-signed SSL certificate problem with exchange connector

OK, and what permissions in AD/Exchange has the account configured for the connector in midPoint?

(DirectoryAdminName configurationProperty)

Is it in Organizational Management group?

Ivan
On 06/24/2015 02:59 PM, Ващенков Алексей wrote:
We are using version 1.4.1.20257 of connector.
Here is the stack from connector host
ExchangeConnector Error: 1 : Exception while executing Create operation: Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: [isim.isim.local] Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.
---> System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
   --- End of inner exception stack trace ---
   at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception e, ErrorRecord error, String message) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 491
   at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1 errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 449
   at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace runspace, String script, ICollection`1 parameters) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 354
   at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 162
   at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 134
   at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 103
   at Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace() in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 531
   at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1 commands) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 185
   at Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext context) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line 112
   at Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext context) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line 185
   at Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line 170
    DateTime=2015-06-27T12:40:34.5850885Z
ConnectorServer.exe Error: 0 : Exception :
Type: Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException
Message: [isim.isim.local] Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.

Source: FrameworkInternal
Stacktrace:    at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception e, ErrorRecord error, String message) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 491
   at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1 errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 449
   at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace runspace, String script, ICollection`1 parameters) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 354
   at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 162
   at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 134
   at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 103
   at Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace() in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 531
   at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1 commands) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 185
   at Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext context) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line 112
   at Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext context) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line 185
   at Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line 177
   at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass objectClass, ICollection`1 createAttributes, OperationOptions options) in c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 442
   at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 247
   at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
   at Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line 1344
   at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
   at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line 626
  Inner Exception :
  Type: System.Management.Automation.Remoting.PSRemotingTransportException

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Wednesday, June 24, 2015 3:42 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Self-signed SSL certificate problem with exchange connector

No; but in my scenario I had to be in local Administrators group to be able to access the certificate store on the machine where Connector Server runs.

Can you be more precise about the Access Denied exception?

Ivan
On 06/24/2015 02:04 PM, Ващенков Алексей wrote:
The user is in both groups local and domain administrators.
Do you suppose that user must be only in local administrator group?

Sent: Wednesday, June 24, 2015 2:55 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Self-signed SSL certificate problem with exchange connector

Please try to add that account to local Administrators on that computer (not Domain Administators). I remember situation where this helped. I also remember to have written it somewhere :-(

Ivan
On 06/24/2015 01:50 PM, Ващенков Алексей wrote:
Thanks.
I helped a little bit. The documentation doesn’t pointed that also I need to add the certificate to trusted roots using mmc.
After we imported certificate and add it ti trusted roots I’ve got an access denied exception. We try to start connector as System and as Administrator but in both cases access exception throws.
May be I miss some preferences?

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Wednesday, June 24, 2015 10:54 AM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Self-signed SSL certificate problem with exchange connector

Hi Алексей,

please check your steps with https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server

Last time I was connecting AD through SSL, it helped me.

Regards,
Ivan
On 06/24/2015 09:42 AM, Ващенков Алексей wrote:
Hi.
We use self-signed certificate for connection to powershell. In process to add account using Exchange connector throws an exception
====
The SSL certificate is signed by an unknown certificate authority. For more information, see the about_Remote_Troubleshooting Help topic. Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.
We have added certificate to trusted roots in internet settings. But it doesn’t take any effect.
What should we do to prevent this exception throwning?







_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint






--

  Ing. Ivan Noris

  Senior Identity Management Engineer & IDM Architect

  evolveum.com                     evolveum.com/blog/

  ___________________________________________________

  "Semper Id(e)M Vix."






_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint





--

  Ing. Ivan Noris

  Senior Identity Management Engineer & IDM Architect

  evolveum.com                     evolveum.com/blog/

  ___________________________________________________

  "Semper Id(e)M Vix."





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint




--

  Ing. Ivan Noris

  Senior Identity Management Engineer & IDM Architect

  evolveum.com                     evolveum.com/blog/

  ___________________________________________________

  "Semper Id(e)M Vix."




_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint



--

  Ing. Ivan Noris

  Senior Identity Management Engineer & IDM Architect

  evolveum.com                     evolveum.com/blog/

  ___________________________________________________

  "Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150624/c472f365/attachment.htm>

More information about the midPoint mailing list