NetWorker: AUTHC fails with "unable to find valid certification path to requested target" in a round robin DC environment

Summary: You are attempting to configure AD over LDAPS (SSL) authentication with NetWorker AUTHC. The external authentication configuration uses "round robin" to alias several domain controllers (DC) to one address. The CA certificate is imported from the round robin address into the NetWorker Runtime Environment's (NRE) cacerts keystore. An error occurs when creating the external authority resource: An SSL handshake error occurred while attempting to connect to LDAPS server: unable to find a valid certification path to the requested target. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

NOTE: CA certificate from the AD server must be imported into the NetWorker JRE/NRE ../lib/sercurity/cacerts keystore in order to establish SSL communication between AUTHC and authentication server.
  • The configuration fails with:
ERROR [main] (DefaultLogger.java:222) - Error while performing Operation:
com.emc.brs.auth.common.exception.BRHttpErrorException: 400 . Server message: Failed to verify configuration CONFIG_NAME An SSL handshake error occurred while attempting to connect to LDAPS server: unable to find valid certification path to requested target
  • You are using an "alias" for the AD server which connects to different DCs in a round robin configuration. 

Cause

The Certificate Authority (CA) is linked to the round robin alias Fully Qualified Domain Name (FQDN). The configuration attempts to bind the Secure Sockets Layer (SSL) to a specific server. 

NOTE: Round Robin is configured to load-balance requests in an environment. This configuration would use multiple Domain Name System (DNS) entries using the same FQDN but pointing to multiple different host IPs. This typically has its uses in web-based applications that may be processing requests from multiple requesters.


For example, 'ad-ldap.amer.lan' may be a DNS round robin alias that redirects to multiple DC hosts in the environment. Collecting the certificate with openssl while using the alias returns the certificate for one of the hosts 'dc1.amer.lan' available through round robin

[root@nsrserver: ~]# openssl s_client -showcerts -connect ad-ldap.amer.lan:636
Certificate chain
0 s:/CN=dc1.amer.lan
   i:/DC=lan/DC=amer/CN=AUTH-CA01
-----BEGIN CERTIFICATE-----
**REMOVED**
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=dc1.amer.lan
issuer=/DC=lan/DC=amer/CN=AUTH-CA01

If the certificate is imported to the JRE/NRE cacerts keystore using the round robin alias 'ad-ldap.amer.lan,' the configuration does not match the 'dc1.amer.lan' or any other server in the round robin configuration due to the name mismatch.

Resolution

You can use a round robin alias in non-SSL Lightweight Directory Access Protocol (LDAP) connections. There is no requirement for SSL certificate to match the host alias of a specific address.
 
To use SSL authentication, the certificate alias must match the host that it is connecting to. Import the CA certificate for a specific DC, and configure NetWorker authentication to use only that server; optionally import all round robin certificates. If the original DC has issues, update the configuration to use another DC with an already imported CA certificate.

See: NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)

Additional Information

NetWorker: LDAPS integration fails with "An SSL handshake error occurred while attempting to connect to LDAPS server: Unable to find valid certification path to requested target"

Affected Products

NetWorker
Article Properties
Article Number: 000187608
Article Type: Solution
Last Modified: 23 May 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.