Loading...
Loading...
Users cannot authenticate using their Microsoft Active Directory (AD) credentials after upgrading PowerProtect to version 19.19.0-15. Error message similar to the following is displayed: "Failed to authenticate the user with identity provider. Please check for any network connectivity issues with the external identity provider if configured. Also check for expired certificates or credential issues with the configured provider." Error message similar to the following is present in the keycloak.log file on the PowerProtect Appliance: 2025-04-02 01:11:20,715 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-23) Uncaught server error: org.keycloak.models.ModelException: LDAP Query failed at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:178) at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:185) at org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUsername(LDAPStorageProvider.java:1052) at org.keycloak.storage.ldap.LDAPStorageProvider.getUserByUsername(LDAPStorageProvider.java:649) at org.keycloak.storage.ldap.LDAPStorageProvider.getUserById(LDAPStorageProvider.java:373) at org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:395) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:222) at org.keycloak.models.sessions.infinispan.PersistentUserSessionProvider.wrap(PersistentUserSessionProvider.java:642) at org.keycloak.models.sessions.infinispan.PersistentUserSessionProvider.getUserSession(PersistentUserSessionProvider.java:287) at org.keycloak.models.sessions.infinispan.PersistentUserSessionProvider.getUserSession(PersistentUserSessionProvider.java:282) at org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken(AuthenticationManager.java:1493) at org.keycloak.services.managers.AuthenticationManager.authenticateIdentityCookie(AuthenticationManager.java:862) at org.keycloak.services.managers.AuthenticationSessionManager.getUserSessionFromAuthenticationCookie(AuthenticationSessionManager.java:259) at org.keycloak.protocol.AuthorizationEndpointBase.createAuthenticationSession(AuthorizationEndpointBase.java:184) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:193) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:115) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635) at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583) Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.storage.ldap.idm.query.internal.LDAPQuery@29377815 at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:294) at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:174) ... 27 more Caused by: javax.naming.CommunicationException: yourcompany.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:251) at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:141) at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1620) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2848) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:349) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:520) at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at java.naming/javax.naming.InitialContext.init(InitialContext.java:236) at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.createLdapContext(LDAPContextManager.java:74) at org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.getLdapContext(LDAPContextManager.java:93) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:709) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:704) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:255) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:278) ... 28 more Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:647) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:467) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:363) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) at java.naming/com.sun.jndi.ldap.Connection.initialSSLHandshake(Connection.java:370) at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:288) at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:230) ... 47 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271) at java.base/sun.security.validator.Validator.validate(Validator.java:256) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:631) ... 61 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383) ... 66 more
This behavior is seen when high availability is configured for domain controllers. In PowerProtect Data Manager 19.19, there is a major architectural change regarding how authentication and user management works. As part of the upgrade, the existing configuration is migrated to the new architecture. After the migration, in the absence of the Root CA certificate used for domain controllers from the PowerProtect Data Manager trust chain breaks Validation fails when modifying the Active Directory connection to automatically pull the Root CA certificate to the trust chain.
In the PowerProtect Data Manager releases after 19.19.0-15, the architectural changes are affecting the validation of the certificate chain. Perform the following steps to add a Root CA certificate to the trust chain: Ensure the Root CA certificate file used on domain controllers is available. Remove existing connection to Active Directory. Select Add button under Directory Settings page. Select AD , check Secure Connection checkbox, and fill Active Directory details. Under Certificate section, select Upload Certificate option. Selecting the Upload Certificate option enables you to upload or paste the root or the host certificate. For uploading a host or root certificate: Select the Upload Certificate File option. Select the certification type whether it is Host, ICA, or Root. If a Root CA certificate is to be uploaded, select Root option. Click Upload Certificate File and select the certificate from your system/server. NOTE: The supported file types are .pem and .crt. For pasting a root certificate: Select the "Paste Certificate" option. Select the certification type whether it is Host, ICA, or Root. If a Root CA Certificate is being added, select Root option . Paste the certificate in the empty field. Review information under Show Advanced Settings and select Apply button. Go to the Administration menu, select Certificates followed by External Servers tab. Validate that you can find a Root CA certificate listed with Approved state for the port number used (636 is the default port). Go to Users Groups page under Access Control section to add users and groups from Active Directory. Test by authenticating using Active Directory credentials. Users should use userPrincipalName(UPN) while adding username on the log in page. The PowerProtect Data Manager Security Configuration Guide contains more options for Lightweight Directory Access Protocol (LDAP) or AD connections.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.