Ask the Community
Groups
EMM: AD Integration Fails with Error: "Error initializing SSL/TLS." - Connect IT Community | Kaseya
<main> <article class="userContent"> <p><strong>Problem: </strong>AD integration fails with error "<strong>Error initializing SSL/TLS</strong>". How can I set up a secure connection between the AD machine and the Kaseya server for EMM communication using self signed certificate?</p> <p>When trying to set up AD connection you would receive an error like shown below and you have verified connection issues as per <a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/kaseya/entries/104730073" rel="noopener nofollow">this KB</a>.</p> <p><img src="/attachments/token/xyxufbkXFhDRZvZWf3kuUi6Pk/?name=Evaluation+Edition_20150224_14-08-14.jpg" alt="Evaluation_Edition_20150224_14-08-14.jpg" width="702" height="384" class="embedImage-img importedEmbed-img"></img></p> <p> </p> <p><strong>Note: </strong>Kaseya Directory Integration Service log available at <strong>C:\Kaseya\Logs\Services\directory-webservice.log</strong> of Kaseya Server will have an entry like shown below:</p> <p><br><em>ERROR [2015-02-24 03:16:20,324] com.kaseya.directory.core.exceptions.LdapBindFailureException: Bind failed to the LDAP server.</em><br><em>! com.unboundid.ldap.sdk.LDAPException: 00000000: LdapErr: DSID-0C090E17, comment: <strong>Error initializing SSL/TLS</strong>, data 0, v1db1 </em><br><em>! at com.kaseya.directory.core.connection.ConnectionTarget.<init>(ConnectionTarget.java:58) ~[kaseya-directory-integration.jar:na]</em><br><em>! ... 56 common frames omitted</em><br><em>! Causing: com.kaseya.directory.core.exceptions.LdapBindFailureException: Failed to create connection with given config</em></p> <p> </p> <p><strong>Resolution: </strong>EMM uses <strong>StartTLS</strong> extended operation to encrypt the communication. This extended operation encrypts the communication channel using SSL/TLS protocol depending upon what’s supported by server/client. Although Kaseya recommends to have TLS client protocol enabled on the AD server, older algorithm i.e SSL 2.0 is still supported - <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.fastmail.com%2Fhelp%2Ftechnical%2Fssltlsstarttls.html">https://www.fastmail.com/help/technical/ssltlsstarttls.html</a></p> <p><strong>It is a requirement that AD Server should have at least SSL protocol enabled and a self signed certificate applied.</strong></p> <p> </p> <p>To verify if SSL is enabled or not, please check the value for:</p> <p><strong>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client\DisabledbyDefault (1 is enabled and 0 is disabled)</strong></p> <p>There is a link at the bottom of this article on how to enable <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Ftechnet.microsoft.com%2Fen-nz%2Flibrary%2Fdn786418.aspx" rel="noopener nofollow">Transport Layer Security (TLS) protocol</a>. Please note that SSL and TLS are just sets of protocols but you will still require a certificate to digitally bind a cryptographic key.</p> <p>This article will give a brief idea on how to use self signed certificate(applies to both SSL and TLS). </p> <p> </p> <p>Below are few options that you can use to set up self signed certificate on the <strong>AD Server</strong>:</p> <p><strong>Option A: </strong>Using IIS. The advantage of this option is that self signed certificate created this way will automatically be tagged as trusted root certificate (recommended) - steps 1-7 from <a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/kaseya/hc/en-gb/articles/115000637668-Using-An-Existing-SSL-Certificate-R9-4-and-up" rel="noopener nofollow">this other KB article</a>.</p> <p><strong>Step 1:</strong> Please install IIS on your AD machine from Server Manager > Add roles</p> <ul><li><a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fwww.iis.net%2Flearn%2Finstall%2Finstalling-iis-7%2Finstalling-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2">http://www.iis.net/learn/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2</a></li> </ul><p><strong>Step 2:</strong> In IIS Manager > browse to root server name > double click server certificate > select the option to create self signed certificate:</p> <p><img src="/attachments/token/itGQCLYW8NKMDvxkM0sizNIES/?name=Microsoft+Office+2010_20150224_16-08-27.jpg" alt="Microsoft_Office_2010_20150224_16-08-27.jpg" class="embedImage-img importedEmbed-img"></img></p> <p><strong>Step 3:</strong> Please provide a friendly name for your SSL certificate:</p> <p><img src="/attachments/token/iTWTu5dVXxuhQnH6UOdA07d6M/?name=DC+%5BRunning%5D+-+Oracle+VM+VirtualBox_20150224_14-22-32.jpg" alt="DC__Running__-_Oracle_VM_VirtualBox_20150224_14-22-32.jpg" width="605" height="437" class="embedImage-img importedEmbed-img"></img></p> <p><strong>Step 4:</strong> You can verify from your Management Console for certificates that the created certificate is now under trusted root certificate or not.</p> <p> </p> <p><strong>Option B: Using SelfSSL utility:</strong></p> <p>Instruction is provided in this below article. Please make sure you have this certificate in trusted root:</p> <ul><li><a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fwww.howtogeek.com%2F107415%2Fit-how-to-create-a-self-signed-security-ssl-certificate-and-deploy-it-to-client-machines%2F">http://www.howtogeek.com/107415/it-how-to-create-a-self-signed-security-ssl-certificate-and-deploy-it-to-client-machines/</a></li> </ul><p> </p> <p><strong>Note: </strong>You can use a digitally signed certificate if you have one available:</p> <ul><li><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsupport.godaddy.com%2Fhelp%2Farticle%2F4801%2Finstalling-an-ssl-certificate-in-microsoft-iis-7">https://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7</a></li> </ul><p>Here is a link on how to enable TLS protocol if you do plan to use TLS over SSL:</p> <ul><li><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsupport.quovadisglobal.com%2FKB%2Fa433%2Fhow-to-enable-tls-12-on-windows-server-2008-r2.aspx">https://support.quovadisglobal.com/KB/a433/how-to-enable-tls-12-on-windows-server-2008-r2.aspx</a></li> <li><a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Ftecadmin.net%2Fenable-tls-on-windows-server-and-iis%2F">http://tecadmin.net/enable-tls-on-windows-server-and-iis/</a></li> </ul><p>More reference:</p> <ul><li><a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fblogs.msdn.com%2Fb%2Fkaushal%2Farchive%2F2011%2F10%2F02%2Fsupport-for-ssl-tls-protocols-on-windows.aspx">http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx</a> </li> </ul><p> </p> <p><strong>Option C</strong>: For advance users, you can try steps as suggested in below link(Reference/Credit: DigiCert):</p> <ul><li><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.digicert.com%2Fssl-certificate-installation-microsoft-active-directory-ldap-2012.htm">https://www.digicert.com/ssl-certificate-installation-microsoft-active-directory-ldap-2012.htm</a></li> </ul><p> </p> <p><strong>Applies to: </strong>VSA 9.0, 9.1, 9.2, 9.3, 9.4.</p> <p> </p> <p> </p> <p> </p> </article> </main>