NetWorker: AD Users Cannot Sign in Over LDAPS "Could not parse server-response from json string"

• The user is accessing the NetWorker Management Console (NMC) or nsrlogin command line and receives an error:

An error occurred while validating user credentials. Verify that NetWorker Authentication Service is running.
[POST failed with HTTP-ERROR: 500 Server Message: Could not parse server-response from json string]

• The External Authentication Authority was configured using LDAP over SSL option; however, the authentication server is Microsoft Active Directory:
  • Setup > Users and Roles > External Authority > Right-Click External Authority > Properties:

HTTP Error 500 "Internal Server Error."

When the LDAP over SSL option is selected, it sets an internal attribute Is Active Directory to false. This prevents successful logins for users who are configured in Microsoft Active Directory through NetWorker.

This can be verified from authc_config command line using root or Administrator command prompt:

authc_config -u Administrator -e find-all-configs

authc_config -u Administrator -e find-config -D config-id=config_id#

[root@networker-mc ~]# authc_config -u administrator -p 'Pa$$w0rd01' -e find-all-configs 
The query returns 1 records.
Config Id Config Name
2         amer     
[root@networker-mc ~]# authc_config -u administrator -p 'Pa$$w0rd01' -e find-config -D config-id=2 | grep -i "is active directory"
Is Active Directory          : false

The LDAP over SSL option is not intended for AD over SSL.

Workaround: 

The authc_config command can be used to update the configuration Is Active Directory value to true.

Windows:

1. On the NetWorker (authc) server, open an Admin command prompt.
2. Get the configuration ID of the external authority configuration:

authc_config -u Administrator -p NetWorker_Administrator_Password -e find-all-configs

authc_config -u Administrator -p NetWorker_Administrator_Password -e find-config -D config-id=config_id#

3. Update the Is Active Directory value with the following command: 

authc_config -u administrator -p NetWorker_Administrator_Password -e update-config -D config-id=config_id# -D "config-active-directory=y" -D "config-server-address=ldaps://domain_server_hostname:636/dc=domain,dc=com" -D config-user-dn=”cn=service_account,ou=some_group,dc=domain,dc=com" -D config-user-dn-password="Service_Account_Password"

C:\Users\Administrator.AMER>authc_config -u administrator -p 'Pa$$w0rd01' -e update-config -D config-id=1 -D "config-active-directory=y" -D "config-server-address=ldaps://dc.amer.lan:636/dc=amer,dc=lan" -D "config-user-dn=cn=administrator,cn=users,dc=amer,dc=lan" -D config-user-dn-password="Pa$$w0rd01"
Configuration ad is updated successfully.

C:\Users\Administrator.AMER>

4. AD logins through NetWorker should now complete successfully.

Linux:

1. On the NetWorker (authc) server, open a root command prompt.
2. Get the configuration ID of the external authority configuration:

authc_config -u Administrator -p 'NetWorker_Administrator_Password' -e find-all-configs

authc_config -u Administrator -p 'NetWorker_Administrator_Password' -e find-config -D config-id=config_id#

3. Create a hidden text file containing the AD service account password:

echo 'Service_Account_Password' > /root/.sapasswd.txt

4. Make the file only accessible to root:

chmod 700 /root/.sapasswd.txt

5. Create a script to run the call the password from the hidden file and run the authc_config command to update the configuration:

vi authc_update.sh

PASSWD=`cat /root/.sapasswd.txt`

authc_config -u administrator -p 'NetWorker_Administrator_Password' -e update-config -D config-id=config_id# -D "config-active-directory=y" -D "config-server-address=ldaps://domain_server_hostname:636/dc=domain,dc=com" -D config-user-dn=”cn=service_account,ou=some_group,dc=domain,dc=com" -D config-user-dn-password="$PASSWD"

6. Set permissions on the script so that it is executable:

chmod 755 authc_update.sh

7. Run the script: /authc_update.sh

[root@nsr ~]# cat authc_update.sh                    
PASSWD=`cat /root/.sapasswd.txt`

authc_config -u administrator -p 'Pa$$w0rd01' -e update-config -D config-id=2 -D "config-active-directory=y" -D "config-server-address=ldaps://dc.amer.lan:636/dc=amer,dc=lan" -D "config-user-dn=cn=administrator,cn=users,dc=amer,dc=lan" -D config-user-dn-password="$PASSWD"
[root@nsr ~]# chmod 755 authc_update.sh                        
[root@nsr ~]# ./authc_update.sh                                
Configuration AD is updated successfully.

8. AD logins through NetWorker should now complete successfully.

If the configuration is updated from the NMC, the Is Active Directory flag is set to false again. If the configuration must be updated, use one of the following methods instead:

• Command-line or script method: NetWorker: How To Set up LDAP/AD using authc_config scripts
• NetWorker Web User Interface: NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)