NetWorker: Unable to log into NMC with AD/LDAP account "Unable to login, verify that the authentication service on server name is running"

Summary: NetWorker is configured with external authentication using LDAPS (either Microsoft Active Directory (AD) or LDAP server). Authentication for external accounts fails with HTTP 500 or HTTP 404 and reports "Verify that the authentication service on [server name] is running." ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

  • NetWorker is configured to use LDAPS external authentication.
  • When logging into NetWorker Management Console (NMC) with an AD/LDAP account, the following error appears:
    • POST failed with HTTP-ERROR: 500 (Internal server error)
    • POST failed with HTTP-ERROR: 404 (Could not parse server-response from JSON string)
    • Verify that the authentication service on [server name] is running.
NOTE: The difference in HTTP error code depends on the NetWorker server version; however, the cause is the same.
  • Local NetWorker user accounts (such as the default Administrator account) successfully log in to the NMC. 

Cause

The certificates were previously imported into the Java runtime cacerts file on the AUTHC server. There may be a problem with the certificates, or they have expired.

The following steps can be used to help verify if this has happened:

 

  1. Get the Root (and Chain, if configured) certificates from the LDAP server. This can be done using the openssl command. openssl is typically included by default on Linux operating systems. Windows hosts do not typically have it installed; however, it can be install using a third-party utility. Optionally, run the openssl command on any Linux host in the environment that has access to the LDAPS server.
Syntax:
openssl x509 -in <(openssl s_client -connect LDAPS_SERVER_ADDRESS:636 -prexit 2>/dev/null </dev/null |
  sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p') \
  -fingerprint -sha256 -noout
Example:
nve:~ # openssl x509 -in <(openssl s_client -connect dc.networker.lan:636 -prexit 2>/dev/null </dev/null |
>   sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p') \
>   -fingerprint -sha256 -noout
SHA256 Fingerprint=FA:0B:97:18:29:5E:A7:86:E1:5A:85:85:9E:17:11:D5:04:E7:AD:7E:F8:A0:5D:07:56:D5:DA:8A:D8:BA:37:E5
NOTE: If multiple signatures are returned, then it suggests that a certificate chain is used. The JRE cacerts file must contain each of the certificates with a matching signature. In the above example, only a root certificate is used.
  1. Use the java keytool command to validate if the certificate is in Java's cacerts file:
  • For NetWorker 19.12.x (JRE 8.x) and prior:
Windows:  
cd "C:\Program Files\NRE\java\jre_#.#.#\bin\"
.\keytool -list -keystore ..\lib\security\cacerts -storepass changeit | findstr SIGNATURE
Linux:
/opt/nre/java/latest/bin/keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit | grep -B1 -i SIGNATURE
  • For NetWorker 19.13 (JDK 17.x) and later:
Windows: 
cd 'C:\Program Files\NRE\java\jdk-#.#.#\bin\'
.\keytool -list -cacerts -storepass changeit | findstr SIGNATURE
Linux:  
/opt/nre/java/latest/bin/keytool -list -cacerts -storepass changeit | grep -B1 -i SIGNATURE
  • Example based on the above openssl output:
nve:~ # /opt/nre/java/latest/bin/keytool -list -cacerts -storepass changeit | grep -B1 -i "FA:0B:97:18:29:5E:A7:86:E1:5A:85:85:9E:17:11:D5:04:E7:AD:7E:F8:A0:5D:07:56:D5:DA:8A:D8:BA:37:E5"
ldaps, Dec 16, 2025, trustedCertEntry,
Certificate fingerprint (SHA-256): FA:0B:97:18:29:5E:A7:86:E1:5A:85:85:9E:17:11:D5:04:E7:AD:7E:F8:A0:5D:07:56:D5:DA:8A:D8:BA:37:E5
NOTE: The above example demonstrates when a valid certificate is found. The sha-256 fingerprint for both the LDAPS certificate and the one imported into NetWorker's runtime cacerts file match. If a certificate chain is used, you must validate that each certificate in the chain exists. If the LDAPS and NetWorker certificates do not match, or one is missing, update the certificates on the NetWorker server. 


If there is no issue with the certificates, this issue can also appear if NetWorker was configured using "LDAP over SSL" but the external authentication is Microsoft Active Directory. This causes a misconfiguration in the AUTHC database. The "Is Active Directory" field is set to false: See: NetWorker: AD over SSL (LDAPS) NetWorker Login Fails With HTTP 404 or HTTP 500

Resolution

For the full procedure on configuring LDAPS with NetWorker, refer to:  NetWorker: How To configure LDAPS Authentication

The process specific to the certificates is as follows:

    1. Get the new root certificate (and chain, if used), from the LDAPS server. This can be done using openssl. If openssl is not installed, have the Domain Administrator provide the certificates required for LDAPS.
      1. openssl s_client -connect LDAPS_SERVER_ADDRESS:636 -showcerts
      2. Copy the certificate starting from ---BEGIN CERTIFICATE--- and ending with ---END CERTIFICATE--- and paste it into a new file. If there is a chain of certificates, you will see several certificates in the output, you must do this with each certificate.
    2. Add the new chain and root certificates (in that order) to the 'cacerts' file:
    • For NetWorker 19.12.x (JRE 8.x) and prior:
    Windows:  
    cd "C:\Program Files\NRE\java\jre_#.#.#\bin\"
.\keytool -import -alias ALIAS_NAME -keystore ..\lib\security\cacerts -storepass changeit -file "PATH_TO_CERTIFICATE_FILE"
    Linux:
    /opt/nre/java/latest/bin/keytool -import -alias ALIAS_NAME -keystore /opt/nre/java/latest/lib/security/cacerts -file PATH_TO_CERTIFICATE_FILE
    • For NetWorker 19.13 (JDK 17.x) and later:
    Windows: 
    cd 'C:\Program Files\NRE\java\jdk-#.#.#\bin\'
.\keytool -import -alias ALIAS_NAME -cacerts -storepass changeit -file "PATH_TO_CERTIFICATE_FILE"
    Linux:  
    /opt/nre/java/latest/bin/keytool -import -alias ALIAS_NAME -cacerts -storepass changeit -file PATH_TO_CERTIFICATE_FILE
    • Example ALIAS for the root CA: RCA
    • Example ALIAS for intermediate certs: ICA1, ICA2, ICA3, and so forth.
    1. Restart NetWorker:
    • Windows (PowerShell): net stop nsrd ; net start nsrd
    • Linux: systemctl restart networker 
    NOTE: NetWorker must be restarted in order for AUTHC to read the cacerts file and reload the certificates.

    Affected Products

    NetWorker, NetWorker Management Console
    Article Properties
    Article Number: 000192505
    Article Type: Solution
    Last Modified: 12 May 2026
    Version:  6
    Find answers to your questions from other Dell users
    Support Services
    Check if your device is covered by Support Services.