[midPoint] Self-signed SSL certificate problem with exchange connector
Ващенков Алексей
a.vashchenkov at solarsecurity.ru
Wed Jun 24 15:55:24 CEST 2015
On test stand we use our “MEGA-ADMIN” :)
Yes this user in Organisation Management group. You can see it at the screenshot in previous message.
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Wednesday, June 24, 2015 4:44 PM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Self-signed SSL certificate problem with exchange connector
OK, and what permissions in AD/Exchange has the account configured for the connector in midPoint?
(DirectoryAdminName configurationProperty)
Is it in Organizational Management group?
Ivan
On 06/24/2015 02:59 PM, Ващенков Алексей wrote:
We are using version 1.4.1.20257 of connector.
Here is the stack from connector host
ExchangeConnector Error: 1 : Exception while executing Create operation: Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: [isim.isim.local] Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.
---> System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
--- End of inner exception stack trace ---
at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception e, ErrorRecord error, String message) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 491
at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1 errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 449
at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace runspace, String script, ICollection`1 parameters) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 354
at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 162
at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 134
at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 103
at Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace() in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 531
at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1 commands) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 185
at Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext context) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line 112
at Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext context) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line 185
at Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line 170
DateTime=2015-06-27T12:40:34.5850885Z
ConnectorServer.exe Error: 0 : Exception :
Type: Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException
Message: [isim.isim.local] Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.
Source: FrameworkInternal
Stacktrace: at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception e, ErrorRecord error, String message) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 491
at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1 errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 449
at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace runspace, String script, ICollection`1 parameters) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 354
at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 162
at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 134
at Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace() in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line 103
at Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace() in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 531
at Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1 commands) in d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line 185
at Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext context) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line 112
at Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext context) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line 185
at Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line 177
at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass objectClass, ICollection`1 createAttributes, OperationOptions options) in c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 442
at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 247
at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
at Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line 1344
at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line 626
Inner Exception :
Type: System.Management.Automation.Remoting.PSRemotingTransportException
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Wednesday, June 24, 2015 3:42 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Self-signed SSL certificate problem with exchange connector
No; but in my scenario I had to be in local Administrators group to be able to access the certificate store on the machine where Connector Server runs.
Can you be more precise about the Access Denied exception?
Ivan
On 06/24/2015 02:04 PM, Ващенков Алексей wrote:
The user is in both groups local and domain administrators.
Do you suppose that user must be only in local administrator group?
Sent: Wednesday, June 24, 2015 2:55 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Self-signed SSL certificate problem with exchange connector
Please try to add that account to local Administrators on that computer (not Domain Administators). I remember situation where this helped. I also remember to have written it somewhere :-(
Ivan
On 06/24/2015 01:50 PM, Ващенков Алексей wrote:
Thanks.
I helped a little bit. The documentation doesn’t pointed that also I need to add the certificate to trusted roots using mmc.
After we imported certificate and add it ti trusted roots I’ve got an access denied exception. We try to start connector as System and as Administrator but in both cases access exception throws.
May be I miss some preferences?
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Wednesday, June 24, 2015 10:54 AM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Self-signed SSL certificate problem with exchange connector
Hi Алексей,
please check your steps with https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server
Last time I was connecting AD through SSL, it helped me.
Regards,
Ivan
On 06/24/2015 09:42 AM, Ващенков Алексей wrote:
Hi.
We use self-signed certificate for connection to powershell. In process to add account using Exchange connector throws an exception
====
The SSL certificate is signed by an unknown certificate authority. For more information, see the about_Remote_Troubleshooting Help topic. Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.
We have added certificate to trusted roots in internet settings. But it doesn’t take any effect.
What should we do to prevent this exception throwning?
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150624/c472f365/attachment.htm>
More information about the midPoint
mailing list