Auth0 Home Blog Docs

LDAP Connector Not Working on Windows 10

ad-ldap-connector

#1

I am running Windows 10 Home. I installed the LDAP Connector. Despite this, I cannot connect to the Connector Admin page. I navigate to hhttp://localhost:8357 and I get a connection refused error. IIS is running on my machine. The Auth 0 and Auth 0 Admin services are running. Does anyone have any suggestions?


#2

Can you try temporarily stopping IIS and the Windows 10 firewall, to rule out that any of these services might be causing troubles with this?

You wrote hhttp://localhost:8357. I assume the extra h is a typo here but wasn’t present in your tests, right? (Sorry, but I had to ask :slight_smile: )


#3

Hi, I tried disabling IIS and the Firewall one at a time and I receive the same error. The connection is refused.

I found this article and am including the requested information: https://auth0.com/docs/connector/troubleshooting#troubleshooting-tool

My logs.log file says ‘2018-12-01T06:12:38.361Z - debug: [2018-12-01 06:12:38] Got SIGTERM, exiting now.’

I cannot find my config.json file.

I tried running the troubleshooting tool and I receive this error:

Error: Cannot read public key. OID is not RSA.
at Object.pki.certificateFromAsn1 (C:\Program Files (x86)\Auth0\AD LDAP Connector\node_modules\win-ca-ffi\node_modules\node-forge\js\x509.js:1274:11)
at StructType.crt (C:\Program Files (x86)\Auth0\AD LDAP Connector\node_modules\win-ca-ffi\lib\ctx.js:17:14)
at module.exports (C:\Program Files (x86)\Auth0\AD LDAP Connector\node_modules\win-ca-ffi\lib\each.js:30:22)
at Object. (C:\Program Files (x86)\Auth0\AD LDAP Connector\node_modules\win-ca-ffi\lib\all.js:30:1)
at Module._compile (module.js:652:30)
at Object.Module._extensions…js (module.js:663:10)
at Module.load (module.js:565:32)
at tryModuleLoad (module.js:505:12)
at Function.Module._load (module.js:497:3)
at Module.require (module.js:596:17)

I go to the windows event log and I see this documented over and over again:

Program C:\Program Files (x86)\Auth0\AD LDAP Connector\node.exe for service Auth0 ADLDAP Admin exited with return code 1.

Service Auth0 ADLDAP Admin action for exit code 1 is Restart. Attempting to restart C:\Program Files (x86)\Auth0\AD LDAP Connector\node.exe.

Service Auth0 ADLDAP Admin ran for less than 1500 milliseconds. Restart will be delayed by 256000 milliseconds.

Really stuck on this. Do you find that the LDAP Connector is generally reliable. Once I get this working on my Desktop my intention is to use this for a mission critical application. Do you think that would be wise?


#4

Hi @deepak.sreedharan.

The connector is used in large enterprise deployments, so I would say is generally reliable. It’s another component in the authentication pipeline, and as such it adds to the overall system complexity: it needs to be monitored to keep up and running, ensure its high availability if used for mission-critical applications. But this is true for every other service that you would run in an enterprise infrastructure.

As for this particular error, Cannot read public key. OID is not RSA., the connector runs under NodeJS. NodeJS releases include a fixed set of trusted certificate authorities for HTTPS communication and, unlike other runtimes, it does not look in the OS certificate store for additional trusted CAs.
To allow usage of self-signed certificates and support other situations where the built-in trusted CAs list might not be sufficient, the connector uses a package to read the list of trusted CAs in the Windows certificate store upon startup.
I’ve been googling around, and it seems that the package used to read the trusted CAs does not support elliptic-curve cryptography (ECC.ECDSA). I haven’t seen this issue before in Windows 10. Have you manually added any certificate in the trusted CAs store that might be generating conflicts here?


#5

I have not added any certicates, personally.

Is there any information you want from my certificate manager console?


#6

In the Trusted Root Certificate Authorities (for the computer, not for the current user) try looking for a certificate that uses ECC.ECDSA signature algorithm.
Alternatively, locate the each.js file in C:\Program Files (x86)\Auth0\AD LDAP Connector\node_modules\win-ca-ffi\lib

and replace its content with this:

// Generated by CoffeeScript 1.12.7

/*
Enumerate system root CAs synchronously
 */
var crypt;

crypt = require('./crypt32');

module.exports = function(storeName, cb) {
  var ctx, store;
  if (typeof storeName === 'function') {
    cb = storeName;
    storeName = 'ROOT';
  }
  if (Array.isArray(storeName)) {
    storeName.forEach(function(sn) {
      return module.exports(sn, cb);
    });
    return;
  }
  store = crypt.CertOpenSystemStoreA(null, storeName);
  try {
    ctx = null;
    while (1) {
      ctx = crypt.CertEnumCertificatesInStore(store, ctx);
     
      if (ctx.isNull()) {
        return;
      }
      try {
        cb(ctx.deref().crt());
      } catch (e) {
        return;
      }
    }
  } finally {
    crypt.CertCloseStore(store, 0);
  }
};

What this will do, basically, is skip the certificate that causes the error. Try restarting the connector after replacing this file.