[midPoint] Self-signed SSL certificate problem with exchange connector
Ivan Noris
ivan.noris at evolveum.com
Wed Jun 24 16:14:04 CEST 2015
Sorry, didn't realize there was a screenshot.
Anyway the screenshot seems to be "Administrator" account.
I'm trying to refresh my latest project with Exchange. So far I don't
remember this issue. We have created user, which is not in Domain
Administrator, but has delegated administration of users, groups etc. in
one part of the directory. Additionaly, user is member of Organizational
Management group to manage Exchange objects.
The same user is used for the service (ConnectorServer) and also
configured in midPoint in resource (DirectoryAdminName).
ExchangeUri points to the http://blabla/PowerShell - you should try to
access it from your connector server/browser, if the Access Denied error
is related to that.
Ivan
On 06/24/2015 03:55 PM, Ващенков Алексей wrote:
>
> On test stand we use our “MEGA-ADMIN” :)
> Yes this user in Organisation Management group. You can see it at the
> screenshot in previous message.
>
>
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
> Behalf Of *Ivan Noris
> *Sent:* Wednesday, June 24, 2015 4:44 PM
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] Self-signed SSL certificate problem with
> exchange connector
>
>
>
> OK, and what permissions in AD/Exchange has the account configured for
> the connector in midPoint?
>
> (DirectoryAdminName configurationProperty)
>
> Is it in Organizational Management group?
>
> Ivan
>
> On 06/24/2015 02:59 PM, Ващенков Алексей wrote:
>
> We are using version 1.4.1.20257 of connector.
>
> Here is the stack from connector host
>
> ExchangeConnector Error: 1 : Exception while executing Create
> operation:
> Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException:
> [isim.isim.local] Connecting to remote server failed with the
> following error message : Access is denied. For more information,
> see the about_Remote_Troubleshooting Help topic.
>
> Cannot validate argument on parameter 'Session'. The argument is
> null. Supply a non-null argument and try the command again.
>
> --->
> System.Management.Automation.Remoting.PSRemotingTransportException: Connecting
> to remote server failed with the following error message : Access
> is denied. For more information, see the
> about_Remote_Troubleshooting Help topic.
>
> --- End of inner exception stack trace ---
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception
> e, ErrorRecord error, String message) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 491
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1
> errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 449
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace
> runspace, String script, ICollection`1 parameters) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 354
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 162
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 134
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 103
>
> at
> Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 531
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1
> commands) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 185
>
> at
> Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext
> context) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line
> 112
>
> at
> Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext
> context) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
> 185
>
> at
> Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass
> oclass, ICollection`1 attributes, OperationOptions options) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
> 170
>
> DateTime=2015-06-27T12:40:34.5850885Z
>
> ConnectorServer.exe Error: 0 : Exception :
>
> Type:
> Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException
>
> Message: [isim.isim.local] Connecting to remote server failed with
> the following error message : Access is denied. For more
> information, see the about_Remote_Troubleshooting Help topic.
>
> Cannot validate argument on parameter 'Session'. The argument is
> null. Supply a non-null argument and try the command again.
>
>
>
> Source: FrameworkInternal
>
> Stacktrace: at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception
> e, ErrorRecord error, String message) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 491
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1
> errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 449
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace
> runspace, String script, ICollection`1 parameters) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 354
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 162
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 134
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 103
>
> at
> Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 531
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1
> commands) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 185
>
> at
> Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext
> context) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line
> 112
>
> at
> Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext
> context) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
> 185
>
> at
> Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass
> oclass, ICollection`1 attributes, OperationOptions options) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
> 177
>
> at
> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass
> objectClass, ICollection`1 createAttributes, OperationOptions
> options) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
> 442
>
> at
> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object
> proxy, MethodInfo method, Object[] args) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
> 247
>
> at ___proxy1.Create(ObjectClass , ICollection`1 ,
> OperationOptions )
>
> at
> Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object
> proxy, MethodInfo method, Object[] args) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line
> 1344
>
> at ___proxy1.Create(ObjectClass , ICollection`1 ,
> OperationOptions )
>
> at
> Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest
> request) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line
> 626
>
> Inner Exception :
>
> Type:
> System.Management.Automation.Remoting.PSRemotingTransportException
>
>
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
> Behalf Of *Ivan Noris
> *Sent:* Wednesday, June 24, 2015 3:42 PM
> *To:* midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Self-signed SSL certificate problem with
> exchange connector
>
>
>
> No; but in my scenario I had to be in local Administrators group
> to be able to access the certificate store on the machine where
> Connector Server runs.
>
> Can you be more precise about the Access Denied exception?
>
> Ivan
>
> On 06/24/2015 02:04 PM, Ващенков Алексей wrote:
>
> The user is in both groups local and domain administrators.
>
> Do you suppose that user must be only in local administrator
> group?
>
> * *
>
> *Sent:*Wednesday, June 24, 2015 2:55 PM
> *To:* midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Self-signed SSL certificate problem
> with exchange connector
>
>
>
> Please try to add that account to local Administrators on that
> computer (not Domain Administators). I remember situation
> where this helped. I also remember to have written it
> somewhere :-(
>
> Ivan
>
> On 06/24/2015 01:50 PM, Ващенков Алексей wrote:
>
> Thanks.
>
> I helped a little bit. The documentation doesn’t pointed
> that also I need to add the certificate to trusted roots
> using mmc.
>
> After we imported certificate and add it ti trusted roots
> I’ve got an access denied exception. We try to start
> connector as System and as Administrator but in both cases
> access exception throws.
>
> May be I miss some preferences?
>
>
>
> *From:*midPoint
> [mailto:midpoint-bounces at lists.evolveum.com] *On Behalf Of
> *Ivan Noris
> *Sent:* Wednesday, June 24, 2015 10:54 AM
> *To:* midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Self-signed SSL certificate
> problem with exchange connector
>
>
>
> Hi Алексей,
>
> please check your steps with
> https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server
>
> Last time I was connecting AD through SSL, it helped me.
>
> Regards,
> Ivan
>
> On 06/24/2015 09:42 AM, Ващенков Алексейwrote:
>
> Hi.
>
> We use self-signed certificate for connection to
> powershell. In process to add account using Exchange
> connector throws an exception
>
> ====
>
> The SSL certificate is signed by an unknown
> certificate authority. For more information, see the
> about_Remote_Troubleshooting Help topic. Cannot
> validate argument on parameter 'Session'. The argument
> is null. Supply a non-null argument and try the
> command again.
>
> We have added certificate to trusted roots in internet
> settings. But it doesn’t take any effect.
>
> What should we do to prevent this exception throwning?
>
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
> --
>
> Ing. Ivan Noris
>
> Senior Identity Management Engineer & IDM Architect
>
> evolveum.com evolveum.com/blog/
>
> ___________________________________________________
>
> "Semper Id(e)M Vix."
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> --
>
> Ing. Ivan Noris
>
> Senior Identity Management Engineer & IDM Architect
>
> evolveum.com evolveum.com/blog/
>
> ___________________________________________________
>
> "Semper Id(e)M Vix."
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> Ing. Ivan Noris
>
> Senior Identity Management Engineer & IDM Architect
>
> evolveum.com evolveum.com/blog/
>
> ___________________________________________________
>
> "Semper Id(e)M Vix."
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150624/f49ef9fc/attachment.htm>
More information about the midPoint
mailing list