Problem Note 45139: Unable to connect to the SAS® Metadata Server when using direct authentication to a load-balanced LDAP server using SSL
If the SAS® Metadata Server is configured for direct authentication to a Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL), and the LDAPS server is configured for load–balancing, you might receive the following errors when attempting to log into the SAS Metadata Server:
ERROR: Invalid credentials
ERROR: Access denied.
ERROR: Unable to contact the LDAP server.
ERROR: Possible cause: Server certificate not found, port not SSL enabled
ERROR: LDAP SSL Message ldapsNegotiate() failed -2139099117
In this scenario, the value of the LDAP_HOST in the SAS Metadata Server's configuration references the LDAP server load balancer. When an authentication request is sent to this load–balancing server, it forwards the request to one of the LDAP servers in the cluster. This "real" LDAP server answers with its own
certificate, which contains references to its own server name.
The errors occur because the SAS Metadata Server compares the host name in the certficate with the name of the host defined in the LDAP_HOST configuration option and the values do not match.
Click the Hot Fix tab in this note to access the hot fix for this issue.
NOTE: In addtion to installing the hot fix, you must also create the NOSSLNAMECHECK environment variable to prevent the errors. You can create the environment variable by adding the following command to your sasv9.cfg file:
-set NOSSLNAMECHECK 1
Another option, if you are launching SAS® from a script, is to define the environment variable in the script prior to the SAS command:
export NOSSLNAMECHECK=1
Operating System and Release Information
SAS System | SAS Metadata Server | z/OS | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Microsoft® Windows® for x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Microsoft Windows Server 2003 Datacenter Edition | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Microsoft Windows Server 2003 Enterprise Edition | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Microsoft Windows Server 2003 Standard Edition | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Microsoft Windows Server 2003 for x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Microsoft Windows Server 2008 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Microsoft Windows Server 2008 for x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Microsoft Windows XP Professional | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows 7 Enterprise 32 bit | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows 7 Enterprise x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows 7 Home Premium 32 bit | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows 7 Home Premium x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows 7 Professional 32 bit | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows 7 Professional x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows 7 Ultimate 32 bit | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows 7 Ultimate x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows Vista | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Windows Vista for x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
64-bit Enabled AIX | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
64-bit Enabled HP-UX | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
64-bit Enabled Solaris | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
HP-UX IPF | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Linux | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Linux for x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
Solaris for x64 | 9.3 | 9.3_M1 | 9.3 TS1M0 | 9.3 TS1M2 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
The SAS® Metadata Server fails to authenticate users when authenticating directly to a load-balanced LDAP server using SSL. The failure is due to mismatches between the host defined in the LDAP_HOST option and the host referenced in the certificate that is returned by the LDAP server
Type: | Problem Note |
Priority: | high |
Topic: | System Administration ==> Communication System Administration ==> Security ==> Authentication System Administration ==> Security ==> Identity Management System Administration ==> Servers ==> Metadata Third Party ==> Products ==> LDAP
|
Date Modified: | 2012-03-28 09:55:07 |
Date Created: | 2011-12-14 10:44:17 |