[midPoint] Self-signed SSL certificate problem with exchange connector

Ivan Noris ivan.noris at evolveum.com
Wed Jun 24 16:16:50 CEST 2015


Could it be perhaps related to something like this?
http://www.ifunky.net/Blog/post/Powershell-Remoting-Access-is-Denied.aspx

Ivan

On 06/24/2015 03:55 PM, Ващенков Алексей wrote:
>
> On test stand we use our “MEGA-ADMIN” :)
> Yes this user in Organisation Management group. You can see it at the
> screenshot in previous message.
>
>  
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
> Behalf Of *Ivan Noris
> *Sent:* Wednesday, June 24, 2015 4:44 PM
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] Self-signed SSL certificate problem with
> exchange connector
>
>  
>
> OK, and what permissions in AD/Exchange has the account configured for
> the connector in midPoint?
>
> (DirectoryAdminName configurationProperty)
>
> Is it in Organizational Management group?
>
> Ivan
>
> On 06/24/2015 02:59 PM, Ващенков Алексей wrote:
>
>     We are using version 1.4.1.20257 of connector.
>
>     Here is the stack from connector host
>
>     ExchangeConnector Error: 1 : Exception while executing Create
>     operation:
>     Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException:
>     [isim.isim.local] Connecting to remote server failed with the
>     following error message : Access is denied. For more information,
>     see the about_Remote_Troubleshooting Help topic.
>
>     Cannot validate argument on parameter 'Session'. The argument is
>     null. Supply a non-null argument and try the command again.
>
>     --->
>     System.Management.Automation.Remoting.PSRemotingTransportException: Connecting
>     to remote server failed with the following error message : Access
>     is denied. For more information, see the
>     about_Remote_Troubleshooting Help topic.
>
>        --- End of inner exception stack trace ---
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception
>     e, ErrorRecord error, String message) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     491
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1
>     errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     449
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace
>     runspace, String script, ICollection`1 parameters) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     354
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace()
>     in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
>     162
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread()
>     in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
>     134
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace()
>     in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
>     103
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace()
>     in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     531
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1
>     commands) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     185
>
>        at
>     Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext
>     context) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line
>     112
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext
>     context) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
>     185
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass
>     oclass, ICollection`1 attributes, OperationOptions options) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
>     170
>
>         DateTime=2015-06-27T12:40:34.5850885Z
>
>     ConnectorServer.exe Error: 0 : Exception :
>
>     Type:
>     Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException
>
>     Message: [isim.isim.local] Connecting to remote server failed with
>     the following error message : Access is denied. For more
>     information, see the about_Remote_Troubleshooting Help topic.
>
>     Cannot validate argument on parameter 'Session'. The argument is
>     null. Supply a non-null argument and try the command again.
>
>      
>
>     Source: FrameworkInternal
>
>     Stacktrace:    at
>     Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception
>     e, ErrorRecord error, String message) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     491
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1
>     errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     449
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace
>     runspace, String script, ICollection`1 parameters) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     354
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace()
>     in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
>     162
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread()
>     in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
>     134
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace()
>     in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
>     103
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace()
>     in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     531
>
>        at
>     Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1
>     commands) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
>     185
>
>        at
>     Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext
>     context) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line
>     112
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext
>     context) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
>     185
>
>        at
>     Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass
>     oclass, ICollection`1 attributes, OperationOptions options) in
>     d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
>     177
>
>        at
>     Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass
>     objectClass, ICollection`1 createAttributes, OperationOptions
>     options) in
>     c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
>     442
>
>        at
>     Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object
>     proxy, MethodInfo method, Object[] args) in
>     c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
>     247
>
>        at ___proxy1.Create(ObjectClass , ICollection`1 ,
>     OperationOptions )
>
>        at
>     Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object
>     proxy, MethodInfo method, Object[] args) in
>     c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line
>     1344
>
>        at ___proxy1.Create(ObjectClass , ICollection`1 ,
>     OperationOptions )
>
>        at
>     Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest
>     request) in
>     c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line
>     626
>
>       Inner Exception :
>
>       Type:
>     System.Management.Automation.Remoting.PSRemotingTransportException
>
>      
>
>     *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
>     Behalf Of *Ivan Noris
>     *Sent:* Wednesday, June 24, 2015 3:42 PM
>     *To:* midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
>     *Subject:* Re: [midPoint] Self-signed SSL certificate problem with
>     exchange connector
>
>      
>
>     No; but in my scenario I had to be in local Administrators group
>     to be able to access the certificate store on the machine where
>     Connector Server runs.
>
>     Can you be more precise about the Access Denied exception?
>
>     Ivan
>
>     On 06/24/2015 02:04 PM, Ващенков Алексей wrote:
>
>         The user is in both groups local and domain administrators.
>
>         Do you suppose that user must be only in local administrator
>         group?
>
>         * *
>
>         *Sent:*Wednesday, June 24, 2015 2:55 PM
>         *To:* midpoint at lists.evolveum.com
>         <mailto:midpoint at lists.evolveum.com>
>         *Subject:* Re: [midPoint] Self-signed SSL certificate problem
>         with exchange connector
>
>          
>
>         Please try to add that account to local Administrators on that
>         computer (not Domain Administators). I remember situation
>         where this helped. I also remember to have written it
>         somewhere :-(
>
>         Ivan
>
>         On 06/24/2015 01:50 PM, Ващенков Алексей wrote:
>
>             Thanks.
>
>             I helped a little bit. The documentation doesn’t pointed
>             that also I need to add the certificate to trusted roots
>             using mmc.
>
>             After we imported certificate and add it ti trusted roots
>             I’ve got an access denied exception. We try to start
>             connector as System and as Administrator but in both cases
>             access exception throws.
>
>             May be I miss some preferences?
>
>              
>
>             *From:*midPoint
>             [mailto:midpoint-bounces at lists.evolveum.com] *On Behalf Of
>             *Ivan Noris
>             *Sent:* Wednesday, June 24, 2015 10:54 AM
>             *To:* midpoint at lists.evolveum.com
>             <mailto:midpoint at lists.evolveum.com>
>             *Subject:* Re: [midPoint] Self-signed SSL certificate
>             problem with exchange connector
>
>              
>
>             Hi Алексей,
>
>             please check your steps with
>             https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server
>
>             Last time I was connecting AD through SSL, it helped me.
>
>             Regards,
>             Ivan
>
>             On 06/24/2015 09:42 AM, Ващенков Алексейwrote:
>
>                 Hi.
>
>                 We use self-signed certificate for connection to
>                 powershell. In process to add account using Exchange
>                 connector throws an exception
>
>                 ====
>
>                 The SSL certificate is signed by an unknown
>                 certificate authority. For more information, see the
>                 about_Remote_Troubleshooting Help topic. Cannot
>                 validate argument on parameter 'Session'. The argument
>                 is null. Supply a non-null argument and try the
>                 command again.
>
>                 We have added certificate to trusted roots in internet
>                 settings. But it doesn’t take any effect.
>
>                 What should we do to prevent this exception throwning?
>
>
>
>
>
>
>
>                 _______________________________________________
>
>                 midPoint mailing list
>
>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>             -- 
>
>               Ing. Ivan Noris
>
>               Senior Identity Management Engineer & IDM Architect
>
>               evolveum.com                     evolveum.com/blog/
>
>               ___________________________________________________
>
>               "Semper Id(e)M Vix."
>
>
>
>
>
>
>             _______________________________________________
>
>             midPoint mailing list
>
>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>         -- 
>
>           Ing. Ivan Noris
>
>           Senior Identity Management Engineer & IDM Architect
>
>           evolveum.com                     evolveum.com/blog/
>
>           ___________________________________________________
>
>           "Semper Id(e)M Vix."
>
>
>
>
>
>         _______________________________________________
>
>         midPoint mailing list
>
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>     -- 
>
>       Ing. Ivan Noris
>
>       Senior Identity Management Engineer & IDM Architect
>
>       evolveum.com                     evolveum.com/blog/
>
>       ___________________________________________________
>
>       "Semper Id(e)M Vix."
>
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> -- 
>   Ing. Ivan Noris
>   Senior Identity Management Engineer & IDM Architect
>   evolveum.com                     evolveum.com/blog/
>   ___________________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150624/a33f3cc6/attachment.htm>


More information about the midPoint mailing list