Layer7 API Management

Hi, i'm facing problems configuring Microsoft AD authentication scheme in dev portal 4.2.7.4. i followed all instructions and filled up the "Provider Configuration" properly but when i try to connect i get the following error in the portal configuration page: "Incomplete Base Distinguished Name" .

in addition i also get the following errors in docker containers log (executing "journalctl -fu docker "command):

Oct 23 17:32:01 ***.*** dockerd[1120]: 2018-10-23 14:32:01.870 INFO [portal-data,880d2971632e8d2c68cf3b409110bacf,f6f5105fbe38966c,true] 1 --- [nio-8080-exec-8] com.ca.apim.auth.impl.AuthConfigSvcImpl : resp AuthResponse [authEntity=null, user=null, respCode=13007, respMsg=Incomplete Base Distinguished Name] Oct 23 17:32:01 ***.*** dockerd[1120]: 2018-10-23 14:32:01.877 ERROR [portal-data,880d2971632e8d2c68cf3b409110bacf,f6f5105fbe38966c,true] 1 --- [nio-8080-exec-8] c.l.portal.service.auth.AuthServiceImpl : Creation of the AuthConfig failed

please also see that attached screenshot of the scheme configuration in did in portal .

important comment: please note that the domain of the customer which we configured and trying to connect to is a "single label domain"

will appreciate you kind and prompt response on this issue. 

Normally in AD there are 2 parts to the DC like dc=ca,dc=com so seeing there only being one part is unusually. Please confirm with the Directory Server admin the whole DN.

Sincerely,

Stephen Hughes

CA Support

Hi Stephen,

i confirmed with the DC admin that the Base DN  is composed from one part in their case . please note that we had also tried to specify 2 parts for the sake of testing but still same error. 

perhaps the fact that in this particular case their domain is a "single label domain"  is related to the issue ? 

Thanks,

Interesting. I had never heard of a "single label domain" before. I had to look it up. I found this KB article from Microsoft which was interesting in what it states: https://support.microsoft.com/en-us/help/2269810/microsoft-support-for-single-label-domains 

From the KB article from Microsoft:

"Although an SLD is not a common configuration worldwide, some Microsoft products can be installed in an SLD configuration and in other uncommon namespace configurations. However, certain considerations may apply, as noted by individual product groups. Existing products may continue to function with SLDs, but SLDs are not a recommended configuration for future deployments and may not work with some products or versions. Other Microsoft or third-party applications that end-users may want to run in your environment may not be compatible on an SLD. We recommend that customers deploy their infrastructure by using common, tested configurations to minimize extra deployment and testing costs."

In other words, my interpretation is that even Microsoft seems to discourage that type of environment. I would say it's reasonable to suspect the SLD as a root cause, we are likely not compatible with it. We should test this though to verify.

thanks for those inputs Dustin.

i was also afraid that the SLD might be the root cause. the problem is that it's the current configuration on the customer's site, and it will not be changed. 

i will try to follow to workaround for pointing to the global catalog and also upgrade to 4.2.9.3 and see if that resolved the issue.

please note that we did manage to integrate the gateway with the customer's AD. 

Hi Stephen, 

i found a related support KB article on the issue i described above. Integrating API Portal with MS Active Directory - CA Knowledge 

i will follow the workaround suggested in this KB url and update later if that resolved the issue. 

Please look to upgrade the environment to 4.2.9.1 as there are lot of good performance improvements and product enhancement.

Sincerely,

Stephen Hughes

CA Support

Hi,

i have followed the workaround KB instructions to connect to global catalog on port 3268 and the issue is now resolved. thanks for your comments.