AD Sync fails with the error: A call to SSPI failed, see inner exception.

book

Article ID: 100033172

calendar_today

Updated On:

Description

Error Message

The following error trace is reported in the ADSCrawler_output.log:

2016-10-24 13:12:14,981 [5160] INFO ADSCrawler - AD BufferManager queue size: 500
2016-10-24 13:12:18,073 [5160] INFO ADSCrawler - SSL Service started
2016-10-2413:12:20,051 [5160] ERROR ADSCrawler - System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: An unknown error occurred while processing the certificate --- End of inner exception stack trace ---

at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) 
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) 
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) 
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) 
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) 
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) 
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) 
at SecurityUtilsLib.SSLServerService.getSSLStream(Int32 certFindType, String certFindValue, Boolean findValidCertsOnly) in D:\builds\checkout_V82\src\C#\SecurityUtilsLib\SecurityUtilsLib\SSLServerService.cs:line 143 
at ADSCrawler.ADSCrawlerMain.ReceiveMessage(RequestHeader request) in D:\builds\checkout_V82\src\C#\ADSCrawler\ADSCrawler\ADSCrawler.cs:line 320

Cause

This error can occur when all of the following are true:

  • The eDP appliance is using a custom server certificate (i.e. not the default eDP self-signed server certificate).
  • There is an eDP configuration issue that is preventing the AD sync executable from acquiring the authentication credentials.
  • One of the domains to be crawled has a username and password specified in the eDP settings (example shown in Figure 1). This setting invokes the mechanism to pass credentials securely to the AD sync executable (in contrast with the implicit credentials that the AD sync executable is already running with).

Figure 1.
Domain to crawl using explicit username and password

Resolution

1. Set the eDP system-level property esa.common.security.custom.cert.thumbprint to the fingerprint value of the eDP server certificate with the following steps:
a. System > Support Features > Property Browser
b. Ensure the appliance selected is the Cluster Master if running Distributed Architecture.
c. In the Name of Property to change field enter:
esa.common.security.custom.cert.thumbprint
d. In the New value (leave blank to remove) field enter:
The SHA1 fingerprint from eDP server.keystore.
Example: 922019952A3F849BA6F1107A44A4246C2401EF56
e. Put a check in Confirm Change. Are you sure?
f. Click submit.

2. Launch the Clearwell Commander utility > Stop Services and run Action > Copy Tomcat Provider-Signed Certificate to Windows Trust Store.

Issue/Introduction

An eDiscovery Platform (EDP) Active Directory sync is consistently failing almost immediately, with the following error reported in the ADSCrawler_output.log:

ERROR ADSCrawler - System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception.
Powered by Wolken Software