IDP authentication problems with Server 2012

Tim Larson Tim.Larson at
Thu May 22 13:15:06 EDT 2014

Thanks for the help.

Looks like the problem was the version of java being used by the IDP where I was having the problem.  Looks like the Java 6 libraries have a problem connecting to Server 2012 Active Directory.  I upgraded to Java 7 (jdk1.7.0_45) and everything started working perfectly.

Tim Larson
University of Central Florida

From: users-bounces at [mailto:users-bounces at] On Behalf Of Chris Phillips
Sent: Tuesday, May 20, 2014 9:36 AM
To: Shib Users
Subject: Re: IDP authentication problems with Server 2012

Yes, but not just ADsvr2012, AD in general.

One thing to check is the certificate you have and what each of the DCs offer for the handshake.

They may offer different certs and one may not be in your java keystore of the IdP.
Also ensure the DNS resolution is what you expect it to be.
Do you override /etc/hosts? Do the pair of DC's respond to the same name?

Jacking up the log level for LDAP in the IdP will also highlight some of this too.

Using openssl you can quickly eyeball the chain to check:

openssl s_client -showcerts -connect



On 2014-05-20, at 8:59 AM, Tim Larson wrote:

Has anyone experience problems connecting the Shibboleth IDP to Active Directory running on Server 2012?

We are running the Shibboleth 2.40 IDP and trying to authenticate against a Server 2012 Domain Controller.  The exact same configuration works fine when connecting to a Server 2008 Domain controller in the same AD Domain.  We are connecting on the global catalog port 3269, but have tried the LDAP ports as well.

Does anyone know of any services that changed with 2012 or levels of encryption supported that may be causing problems with authenticating against this version of Active Directory?

Tim Larson
University of Central Florida

To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list