AD/LDAP connection error: "Wrong attempt to update ad connector thumbprints."

Problem statement

Every few minutes we are seeing an error in our tenant logs for our AD/LDAP connection with a description “Wrong attempt to update ad connector thumbprints.”

{
...
"date": "*****",
"type": "fcpro",
"description": "Wrong attempt to update ad connector thumbprints.",
"connection_id": "",
"client_id": "****",
"ip": "****",
"details": {
"details": "You have already used this ticket (********) with an agent that is currently running on another machine. To solve this, create a **NEW** connection with a new ticket and use that one instead. You can uninstall the other agent."
},
"hostname": "*******",
...
}

We went to the Auth0 connector and ran a test. The first time it ran without an error, all subsequent runs produce this error:

“08:23:22 - error: × Connection to LDAP failed.
08:23:22 - error: > Error: 00002024: LdapErr: DSID-0C060810, comment: No other operations may be performed on the connection while a bind is outstanding., data 0, v3839”

That said, the system seems to be working, at least I have not heard complaints from users. Regardless, we would like to eliminate those errors.

Cause

There are a few issues that arise when there’s a mismatch between the connector’s certificate and what was already stored in the connection (on Auth0’s side). They are usually caused by a customer attempt to reuse a ticket URL (i.e. pointing a connector to a connection to which the handshake was already established).

You might see this in the connector logs:


`[` `2019` `-` `04` `-` `23` `18` `:` `29` `:` `45` `] Loading settings from ticket: https:` `//{auth0_domain}/p/ad/*****/info`
`[` `2019` `-` `04` `-` `23` `18` `:` `29` `:` `47` `] Local settings updated.`
`[` `2019` `-` `04` `-` `23` `18` `:` `29` `:` `47` `] Generating a self-signed certificate.`
`[` `2019` `-` `04` `-` `23` `18` `:` `29` `:` `52` `] Certificate generated.`

`[` `2019` `-` `04` `-` `23` `18` `:` `29` `:` `52` `] Configuring connection {connection_name}.`
`[` `2019` `-` `04` `-` `23` `18` `:` `29` `:` `52` `]  > Posting certificates and signInEndpoint: http:` `//C02W5779HTD5:4000/wsfed`
`[` `2019` `-` `04` `-` `23` `18` `:` `30` `:` `53` `] Unexpected status ` `while` `configuring connection: ` `504`
`[` `2019` `-` `04` `-` `23` `18` `:` `30` `:` `53` `] <html>`
`<head><title>` `504` `Gateway Time-out</title></head>`
`<body bgcolor=` `"white"` `>`
`<center><h1>` `504` `Gateway Time-out</h1></center>`
`</body>`
`</html>`

This is when the server detects a certificate mismatch between what the connector is sending on startup and what’s stored in the connection. The server forces a 60-seconds delay in the response to prevent flooding, but the gateway is probably getting in the middle causing a 504 timeout error instead.

This error will be coupled by a tenant log looking like the one shown in the Problem Description above.

Solution

The solution for this problem is to either create a new connection (and update the connector’s config.json with the new PROVISIONING_TICKET ), or remove the options.certs and options.thumbprints values from the connection using Management API v2.