Unable to Connect to AD services

Unable to Connect to AD services due to PKIX Path Building Failure when using multiple AD servers behind a Load Balancer.

For the PAM server to communicate with an AD global catalog (GC), the PAM keystore needs to contain a security certificate from this global catalog to establish a trusted connection.

During setup of the integration with AD (whether using GUI or the command ADConnect) PAM automatically imports this certificate from your AD GC server into its PAM keystore so that integration with AD is performed smoothly.

However, in case of multiple GC servers operating behind a load balancer, it is not enough for PAM to include a certificate from a single GC server obtained during initial connection setup because every time PAM needs to communicate with the global catalog, the GC load balancer can route the connection to different GC server set up with a different certificate.

 

Since PAM does not know how to access each GC server hidden behind the load balancer, the certificates from each GC server should be imported manually into the PAM keystore.

This way, after the integration PAM will trust each GC server no matter which one will be used at any given time by the load balancer.

Several ways to move forward

First, you need to obtain certificates from GC servers and then these certificates should be imported to the PAM keystore ($PAM_HOME/jre/lib/security/cacerts).

Below is the link with the procedure how to import certificates into PAM’s keystore.

Importing Certificates

Please note that the article contains several sections about how to convert your cert to DER format if it is not in der format. You need to run these commands from the $PAM_HOME folder to keep all the paths like they are in the article’s examples.

Alternatively, if you can access each global catalog server directly around the load balancer, you can establish connections with each global catalog server one-by-one using ADConnect.

During every connection PAM will automatically import the certificate from each GC server into its own keystore.

At the end, you can re-establish the connection to the GC load balancer. At this time, PAM will have all certificates loaded into the keystore and will be able to trust any of the connections no matter which one is used.

For both alternative ways to connect it is important to import certificates from all GC servers because GC load balancer might route LDAPS traffic from PAM to any one of them.

Can't add any new AD users

Can't add any new AD users when logged in as my local pamadmin account.

When I go to the AD tab and test, I get this error:

Active Directory Configuration Failed to Test.: 501: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 533, v3839.

Here are some other reasons for error 49

The AD-specific error code is the one after "Data":

  • 525 user not found

  • 52e invalid credentials

  • 530 not permitted to logon at this time

  • 531 not permitted to logon at this workstation

  • 532 password expired

  • 533 account disabled

  • 701 account expired

  • 773 user must reset password

  • 775 user account locked