PowerProtect: Authentication Fails Using Active Directory After Upgrading to Version 19.19

Users cannot authenticate using their Microsoft Active Directory (AD) credentials after upgrading PowerProtect to version 19.19.0-15.

Error message similar to the following is displayed:

"Failed to authenticate the user with identity provider. Please check for any network connectivity issues with the external identity provider if configured. Also check for expired certificates or credential issues with the configured provider."

Error message similar to the following is present in the keycloak.log file on the PowerProtect Appliance:

2025-04-02 01:11:20,715 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-23) Uncaught server error: org.keycloak.models.ModelException: LDAP Query failed
	at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:178)
	at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:185)
	at org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUsername(LDAPStorageProvider.java:1052)
	at org.keycloak.storage.ldap.LDAPStorageProvider.getUserByUsername(LDAPStorageProvider.java:649)
	at org.keycloak.storage.ldap.LDAPStorageProvider.getUserById(LDAPStorageProvider.java:373)
	at org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:395)
	at org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:222)
	at org.keycloak.models.sessions.infinispan.PersistentUserSessionProvider.wrap(PersistentUserSessionProvider.java:642)
	at org.keycloak.models.sessions.infinispan.PersistentUserSessionProvider.getUserSession(PersistentUserSessionProvider.java:287)
	at org.keycloak.models.sessions.infinispan.PersistentUserSessionProvider.getUserSession(PersistentUserSessionProvider.java:282)
	at org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken(AuthenticationManager.java:1493)
	at org.keycloak.services.managers.AuthenticationManager.authenticateIdentityCookie(AuthenticationManager.java:862)
	at org.keycloak.services.managers.AuthenticationSessionManager.getUserSessionFromAuthenticationCookie(AuthenticationSessionManager.java:259)
	at org.keycloak.protocol.AuthorizationEndpointBase.createAuthenticationSession(AuthorizationEndpointBase.java:184)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:193)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:115)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.storage.ldap.idm.query.internal.LDAPQuery@29377815
	at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:294)
	at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:174)
	... 27 more
Caused by: javax.naming.CommunicationException: yourcompany.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
	at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:251)
	at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:141)
	at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1620)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2848)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:349)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
	at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:520)
	at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
	at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
	at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
	at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.createLdapContext(LDAPContextManager.java:74)
	at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.getLdapContext(LDAPContextManager.java:93)
	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:709)
	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:704)
	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:255)
	at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:278)
	... 28 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:647)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:467)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:363)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at java.naming/com.sun.jndi.ldap.Connection.initialSSLHandshake(Connection.java:370)
	at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:288)
	at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:230)
	... 47 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
	at java.base/sun.security.validator.Validator.validate(Validator.java:256)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:631)
	... 61 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
	... 66 more

This behavior is seen when high availability is configured for domain controllers. In PowerProtect Data Manager 19.19, there is a major architectural change regarding how authentication and user management works. As part of the upgrade, the existing configuration is migrated to the new architecture. After the migration, in the absence of the Root CA certificate used for domain controllers from the PowerProtect Data Manager trust chain breaks

Validation fails when modifying the Active Directory connection to automatically pull the Root CA certificate to the trust chain.

In the PowerProtect Data Manager releases after 19.19.0-15, the architectural changes are affecting the validation of the certificate chain. Perform the following steps to add a Root CA certificate to the trust chain:

1. Ensure the Root CA certificate file used on domain controllers is available.
2. Remove existing connection to Active Directory. 
3. Select Add button under Directory Settings page.
4. Select AD, check Secure Connection checkbox, and fill Active Directory details.
5. Under Certificate section, select Upload Certificate option.
6. Selecting the Upload Certificate option enables you to upload or paste the root or the host certificate.

• Select the Upload Certificate File option.
• Select the certification type whether it is Host, ICA, or Root. If a Root CA certificate is to be uploaded, select Root option.
• Click Upload Certificate File and select the certificate from your system/server.

• Select the "Paste Certificate" option.
• Select the certification type whether it is Host, ICA, or Root. If a Root CA Certificate is being added, select Root option.
• Paste the certificate in the empty field.

7. Review information under Show Advanced Settings and select Apply button. 
8. Go to the Administration menu, select Certificates followed by External Servers tab. Validate that you can find a Root CA certificate listed with Approved state for the port number used (636 is the default port).
9. Go to Users Groups page under Access Control section to add users and groups from Active Directory. 
10. Test by authenticating using Active Directory credentials. Users should use userPrincipalName(UPN) while adding username on the log in page. 

The PowerProtect Data Manager Security Configuration Guide contains more options for Lightweight Directory Access Protocol (LDAP) or AD connections.

From PowerProtect Data Manager 19.19 onwards, in the username it is recommended to use userPrincipalName (UPN) that is set in the Active Directory. The domain name used in UPN can be different to the name used while adding domain to the PowerProtect Data Manager. In earlier versions, users had to add a domain name that was added to PowerProtect Data Manager.

Workaround
The existing Microsoft Active Directory connection can be removed and added as LDAP without using Secure Sockets Layer (SSL). This allows the users to authenticate without using the certificate chain.