[midPoint] Self-signed SSL certificate problem with exchange connector
Ivan Noris
ivan.noris at evolveum.com
Wed Jun 24 16:16:50 CEST 2015
Could it be perhaps related to something like this?
http://www.ifunky.net/Blog/post/Powershell-Remoting-Access-is-Denied.aspx
Ivan
On 06/24/2015 03:55 PM, Ващенков Алексей wrote:
>
> On test stand we use our “MEGA-ADMIN” :)
> Yes this user in Organisation Management group. You can see it at the
> screenshot in previous message.
>
>
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
> Behalf Of *Ivan Noris
> *Sent:* Wednesday, June 24, 2015 4:44 PM
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] Self-signed SSL certificate problem with
> exchange connector
>
>
>
> OK, and what permissions in AD/Exchange has the account configured for
> the connector in midPoint?
>
> (DirectoryAdminName configurationProperty)
>
> Is it in Organizational Management group?
>
> Ivan
>
> On 06/24/2015 02:59 PM, Ващенков Алексей wrote:
>
> We are using version 1.4.1.20257 of connector.
>
> Here is the stack from connector host
>
> ExchangeConnector Error: 1 : Exception while executing Create
> operation:
> Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException:
> [isim.isim.local] Connecting to remote server failed with the
> following error message : Access is denied. For more information,
> see the about_Remote_Troubleshooting Help topic.
>
> Cannot validate argument on parameter 'Session'. The argument is
> null. Supply a non-null argument and try the command again.
>
> --->
> System.Management.Automation.Remoting.PSRemotingTransportException: Connecting
> to remote server failed with the following error message : Access
> is denied. For more information, see the
> about_Remote_Troubleshooting Help topic.
>
> --- End of inner exception stack trace ---
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception
> e, ErrorRecord error, String message) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 491
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1
> errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 449
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace
> runspace, String script, ICollection`1 parameters) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 354
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 162
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 134
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 103
>
> at
> Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 531
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1
> commands) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 185
>
> at
> Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext
> context) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line
> 112
>
> at
> Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext
> context) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
> 185
>
> at
> Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass
> oclass, ICollection`1 attributes, OperationOptions options) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
> 170
>
> DateTime=2015-06-27T12:40:34.5850885Z
>
> ConnectorServer.exe Error: 0 : Exception :
>
> Type:
> Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException
>
> Message: [isim.isim.local] Connecting to remote server failed with
> the following error message : Access is denied. For more
> information, see the about_Remote_Troubleshooting Help topic.
>
> Cannot validate argument on parameter 'Session'. The argument is
> null. Supply a non-null argument and try the command again.
>
>
>
> Source: FrameworkInternal
>
> Stacktrace: at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.DefaultThrowIcfExceptionImplementation(Exception
> e, ErrorRecord error, String message) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 491
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.CheckErrors(IList`1
> errors, ThrowIcfExceptionDelegate throwIcfExceptionDelegate) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 449
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokeScriptInternal(Runspace
> runspace, String script, ICollection`1 parameters) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 354
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.InitRunSpace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 162
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.RunSpaceAsyncInitializer.InitializeInCurrentThread()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 134
>
> at
> Org.IdentityConnectors.Exchange.ExchangePowerShellSupport.CreateExchangeRunspace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangePowerShellSupport.cs:line
> 103
>
> at
> Org.IdentityConnectors.ActiveDirectory.MyRunspacePool.acquireRunspace()
> in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 531
>
> at
> Org.IdentityConnectors.ActiveDirectory.PowerShellSupport.InvokePipeline(Collection`1
> commands) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\PowerShellSupport.cs:line
> 185
>
> at
> Org.IdentityConnectors.Exchange.AccountHandler.Create(CreateOpContext
> context) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\Handlers\AccountHandler.cs:line
> 112
>
> at
> Org.IdentityConnectors.Exchange.ExchangeConnector.CreateMain(CreateOpContext
> context) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
> 185
>
> at
> Org.IdentityConnectors.Exchange.ExchangeConnector.Create(ObjectClass
> oclass, ICollection`1 attributes, OperationOptions options) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ExchangeConnector\ExchangeConnector.cs:line
> 177
>
> at
> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass
> objectClass, ICollection`1 createAttributes, OperationOptions
> options) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
> 442
>
> at
> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object
> proxy, MethodInfo method, Object[] args) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
> 247
>
> at ___proxy1.Create(ObjectClass , ICollection`1 ,
> OperationOptions )
>
> at
> Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object
> proxy, MethodInfo method, Object[] args) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line
> 1344
>
> at ___proxy1.Create(ObjectClass , ICollection`1 ,
> OperationOptions )
>
> at
> Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest
> request) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line
> 626
>
> Inner Exception :
>
> Type:
> System.Management.Automation.Remoting.PSRemotingTransportException
>
>
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
> Behalf Of *Ivan Noris
> *Sent:* Wednesday, June 24, 2015 3:42 PM
> *To:* midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Self-signed SSL certificate problem with
> exchange connector
>
>
>
> No; but in my scenario I had to be in local Administrators group
> to be able to access the certificate store on the machine where
> Connector Server runs.
>
> Can you be more precise about the Access Denied exception?
>
> Ivan
>
> On 06/24/2015 02:04 PM, Ващенков Алексей wrote:
>
> The user is in both groups local and domain administrators.
>
> Do you suppose that user must be only in local administrator
> group?
>
> * *
>
> *Sent:*Wednesday, June 24, 2015 2:55 PM
> *To:* midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Self-signed SSL certificate problem
> with exchange connector
>
>
>
> Please try to add that account to local Administrators on that
> computer (not Domain Administators). I remember situation
> where this helped. I also remember to have written it
> somewhere :-(
>
> Ivan
>
> On 06/24/2015 01:50 PM, Ващенков Алексей wrote:
>
> Thanks.
>
> I helped a little bit. The documentation doesn’t pointed
> that also I need to add the certificate to trusted roots
> using mmc.
>
> After we imported certificate and add it ti trusted roots
> I’ve got an access denied exception. We try to start
> connector as System and as Administrator but in both cases
> access exception throws.
>
> May be I miss some preferences?
>
>
>
> *From:*midPoint
> [mailto:midpoint-bounces at lists.evolveum.com] *On Behalf Of
> *Ivan Noris
> *Sent:* Wednesday, June 24, 2015 10:54 AM
> *To:* midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Self-signed SSL certificate
> problem with exchange connector
>
>
>
> Hi Алексей,
>
> please check your steps with
> https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server
>
> Last time I was connecting AD through SSL, it helped me.
>
> Regards,
> Ivan
>
> On 06/24/2015 09:42 AM, Ващенков Алексейwrote:
>
> Hi.
>
> We use self-signed certificate for connection to
> powershell. In process to add account using Exchange
> connector throws an exception
>
> ====
>
> The SSL certificate is signed by an unknown
> certificate authority. For more information, see the
> about_Remote_Troubleshooting Help topic. Cannot
> validate argument on parameter 'Session'. The argument
> is null. Supply a non-null argument and try the
> command again.
>
> We have added certificate to trusted roots in internet
> settings. But it doesn’t take any effect.
>
> What should we do to prevent this exception throwning?
>
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
> --
>
> Ing. Ivan Noris
>
> Senior Identity Management Engineer & IDM Architect
>
> evolveum.com evolveum.com/blog/
>
> ___________________________________________________
>
> "Semper Id(e)M Vix."
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> --
>
> Ing. Ivan Noris
>
> Senior Identity Management Engineer & IDM Architect
>
> evolveum.com evolveum.com/blog/
>
> ___________________________________________________
>
> "Semper Id(e)M Vix."
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> Ing. Ivan Noris
>
> Senior Identity Management Engineer & IDM Architect
>
> evolveum.com evolveum.com/blog/
>
> ___________________________________________________
>
> "Semper Id(e)M Vix."
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150624/a33f3cc6/attachment.htm>
More information about the midPoint
mailing list