EMM: AD integration fails with error "Error initializing SSL/TLS"
How to set up a secure connection between the AD machine and the Kaseya server for EMM communication using self signed certificate?
With patch 220.127.116.11 installed, when trying to set up AD connection you would receive an error like shown below and you have verified connection issues as per https://kaseya.zendesk.com/entries/104730073
Kaseya Directory Integration Service log available at C:\kaseya\logs\services\directory-webservice.log of Kaseya Server will have an entry like shown below
ERROR [2015-02-24 03:16:20,324] com.kaseya.directory.core.exceptions.LdapBindFailureException: Bind failed to the LDAP server.
! com.unboundid.ldap.sdk.LDAPException: 00000000: LdapErr: DSID-0C090E17, comment: Error initializing SSL/TLS, data 0, v1db1
! at com.kaseya.directory.core.connection.ConnectionTarget.<init>(ConnectionTarget.java:58) ~[kaseya-directory-integration.jar:na]
! ... 56 common frames omitted
! Causing: com.kaseya.directory.core.exceptions.LdapBindFailureException: Failed to create connection with given config
EMM uses StartTLS extended operation to encrypt the communication. This extended operation encrypts the communication channel using SSL/TLS protocol depending upon what’s supported by server/client. Although Kaseya recommends to have TLS client protocol enabled on the AD server,older algorithm i.e SSL 2.0 is still supported.
It is a requirement that AD Server should have at least SSL protocol enabled and a self signed certificate applied.
To verify if SSL is enabled or not, please check the value for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client\DisabledbyDefault (1 is enabled and 0 is disabled)
There is a link at the bottom of this article on how to enable Transport Layer Security (TLS) protocol. Please note that SSL and TLS are just sets of protocols but you will still require a certificate to digitally bind a cryptographic key.
This article will give a brief idea on how to use self signed certificate(applies to both SSL and TLS) .
Below are few options that you can use to set up self signed certificate on the AD server
Option A: Using IIS. The advantage of this option is that self signed certificate created this way will automatically be tagged as trusted root certificate (Recommended)
(mmc.exe>From MMC, choose File->Add/Remove Snap-in>From Add or Remove Snap-ins, select "Certificates" then click "Add" >Select "Computer Account">Select "Local Computer">choose certificates from console root)
Step 1: Please install IIS on your AD machine from server manager>add roles
Step 2: In IIS manager>browse to root server name>double click server certificate>select the option to create self signed certificate
Step 3: Please provide a friendly name for your SSL certificate
Step 4. You can verify from your management console for certificates that the created certificate is now under trusted root certificate or not
Option B: Using SelfSSL utility
Instruction is provided in this below article. Please make sure you have this certificate in trusted root.
Note: You can use a digitally signed certificate if you have one available
Here is a link on how to enable TLS protocol if you do plan to use TLS over SSL
Option C: For advance users, you can try steps as suggested in below link(Reference/Credit: DigiCert)
"Microsoft AD LDAP (2012): Importing Your Certificate .pfx File into the AD DS Personal Store"
Applies to R9 with at least 18.104.22.168 patch installed