Troubleshooting
Problem
Attempting to configure TM1 to use an LDAP as an anuthentication source, is returning the following error in the tm1server.log when users attempt to log in: ERROR 2016-01-26 12:39:48.900 TM1.LDAPAuth LDAP ERROR: 0x51 - ldap_connect failed.
Diagnosing The Problem
Recreate the error, and immediately check Windows Event Viewer's 'System' logs for any details. In this case, the following error had been thrown:
Event Type: Error
Event Source: Schannel
Event ID: 36884
Description: The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is server_name. The SSL connection request has failed. The attached data contains the server certificate.
The detail above leads us to Microsoft KB Article 2275950:https://support.microsoft.com/en-us/kb/2275950
Resolving The Problem
The detail in the error and Microsoft KB, indicate that there is an issue with using Microsoft APIs to verify the certificate (unless the MS HotFix is applied). In order to tell TM1 not to use the Microsoft API for SSL Cert Verification, we must set the following in the tm1s.cfg file (and restart TM1):
LDAPVerifyServerSSLCert=T
^This tells TM1 that it is now responsible for checking the certificate
You may also need to specify the expected servername using the LDAPVerifyCertServerName parameter, or you may skip the servername check altogether using LDAPSkipSSLCertVerification=T
The following documentation should be reviewed to determine what path better suits your environment: http://www-01.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.3.doc/c_ldapverifyserversslcert.html
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21975807