tracker issue : CF-4204443

select a category, or use search below
(searches all categories and all time range)
Title:

cfldap tag will not connect to Windows Server 2019 domain controllers

| View in Tracker

Status/Resolution/Reason: To Track//PRNeedInfo

Reporter/Name(from Bugbase): Dave I. / ()

Created: 05/23/2019

Components: Net Protocols, LDAP

Versions: 2016

Failure Type: Incorrectly functioning

Found In Build/Fixed In Build: 314028 /

Priority/Frequency: Normal / Most users will encounter

Locale/System: English / Win 2016

Vote Count: 0

Problem Description: Our active directory team has started upgrading the domain controllers on our network to Windows Server 2019 machines, and our authentication mechanism in ColdFusion using the cfldap tag can no longer connect when using these upgraded servers.  The error messages we are seeing are:

"Error","ajp-nio-8015-exec-6","05/23/19","12:13:17","","[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]"
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]

Our AD team says the connection is failing to use the supported cipher types, which the valid ones are listed below:

TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

Steps to Reproduce: Here is the code that fails with the above error:

<cfldap
server = "{domain controller name}"
port="3269"
referral="25"
action = "query"
name = "results"
start="dc=edu"
<!---filter = "cn=#name#"--->
filter="sAMAccountName=#trim(name)#"
attributes = "cn,o,title,mail,telephonenumber,dn"
secure="CFSSL_BASIC"
scope="subtree"
username="#session.ldap_user#"
password="#session.ldap_password#"
sort = "cn ASC"> 

Actual Result: Stack Trace below

"Error","ajp-nio-8015-exec-6","05/23/19","12:13:17","","[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]"
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]
                at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
                at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
                at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
                at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
                at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
                at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
                at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
                at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
                at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
                at javax.naming.InitialContext.init(InitialContext.java:244)
                at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
                at coldfusion.tagext.net.LdapTag.getContextObj(LdapTag.java:873)
                at coldfusion.tagext.net.LdapTag.doStartTag(LdapTag.java:735)
                at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:3707)
                at cfLDAPSSO2ecfm1258532060.runPage(W:\sites\thd.umsl.edu\thdumsl\LDAPSSO.cfm:27)
                at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:254)
                at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:737)
                at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:573)
                at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:3707)
                at cfusers2ecfc680444605$funcVALIDATEUSER.runFunction(C:\inetpub\wwwroot\THD\users.cfc:34)
                at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493)
                at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426)
                at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389)
                at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95)
                at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340)
                at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:539)
                at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:658)
                at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:467)
                at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3025)
                at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3000)
                at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:470)
                at cflogin_impersonate2ecfm335952299.runPage(W:\sites\thd.umsl.edu\thdssumsl\security\login_impersonate.cfm:10)
                at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:254)
                at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:737)
                at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:573)
                at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
                at coldfusion.filter.IpFilter.invoke(IpFilter.java:45)
                at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:505)
                at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43)
                at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
                at coldfusion.filter.PathFilter.invoke(PathFilter.java:153)
                at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94)
                at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
                at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
                at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60)
                at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
                at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
                at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
                at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151)
                at coldfusion.CfmServlet.service(CfmServlet.java:223)
                at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
                at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
                at sun.reflect.GeneratedMethodAccessor118.invoke(Unknown Source)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:134)
                at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doNext(FusionReactorRequestHandler.java:764)
                at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doHttpServletRequest(FusionReactorRequestHandler.java:344)
                at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doFusionRequest(FusionReactorRequestHandler.java:207)
                at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.handle(FusionReactorRequestHandler.java:801)
                at com.intergral.fusionreactor.j2ee.filter.FusionReactorCoreFilter.doFilter(FusionReactorCoreFilter.java:36)
                at sun.reflect.GeneratedMethodAccessor117.invoke(Unknown Source)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:71)
                at sun.reflect.GeneratedMethodAccessor116.invoke(Unknown Source)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at com.intergral.fusionreactor.agent.filter.FusionReactorStaticFilter.doFilter(FusionReactorStaticFilter.java:54)
                at com.intergral.fusionreactor.agent.pointcuts.NewFilterChainPointCut$1.invoke(NewFilterChainPointCut.java:41)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355)
                at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:510)
                at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
                at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.lang.Thread.run(Thread.java:748)


Expected Result: Connect successfully with a negotiated cipher between server and client connection.

Any Workarounds:  Only workaround so far is to connect to a Windows Server 2016 domain controller directly, but that causes a single point of failure since they can go down for maintenance anytime making the users fail to login unexpectedly.

I have been able to reproduce this same error on both CF2016 update 10 and CF2018 update 3 versions of ColdFusion.

Attachments:

Comments:

I noticed today that the reason code changed to NeedMoreInfo. Can you send me what specific details you need to keep this issue moving forward toward a resolution? You can contact me directly if you would like to schedule a troubleshooting meeting to demonstrate the issue in more detail on one of our test servers. We can reproduce it easily once our Active Directory team added the Windows Server 2019 domain controller to our forest. Thanks. Dave
Comment by Dave I.
30842 | May 29, 2019 06:17:03 PM GMT
Hi Dave,   Can you add the following flag to your jvm.config and send us the stack trace generated for it? It will help us in quickly resolving the issue Steps: # Open jvm.config # Add the flag:  *-Djavax.net.debug=ssl* # **Restart ColdFusion # Rerun your case which was throwing the error # Stack trace will be seen either in coldfusion-out.log or exception.log   If no error is seen, try with the flag: *-Djavax.net.debug=all*   Thanks, Kailash
Comment by Kailash B.
30847 | May 30, 2019 05:20:30 AM GMT
Kailash, This is what I saw in the coldfusion-error.log after running the test again using the Windows Server 2019 domain controller: javax.net.ssl|DEBUG|31|Thread-15|2019-06-01 11:49:22.612 CDT|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472 Error: Could not load mediaLib accelerator wrapper classes. Continuing in pure Java mode. Occurs in: com.sun.media.jai.mlib.MediaLibAccessor com.sun.media.jai.mlib.MediaLibLoadException javax.net.ssl|ERROR|58|ajp-nio-8016-exec-5|2019-06-01 11:51:41.387 CDT|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ( "throwable" : { sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:626) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:348) at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:216) at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1610) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2752) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730) at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at java.naming/javax.naming.InitialContext.init(InitialContext.java:236) at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at coldfusion.tagext.net.LdapTag.getContextObj(LdapTag.java:873) at coldfusion.tagext.net.LdapTag.doStartTag(LdapTag.java:735) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:3707) at cfgetLDAP2ecfm185475925.runPage(C:\inetpub\shared\testarea\getLDAP.cfm:30) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:254) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:737) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:573) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:505) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:78) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151) at coldfusion.CfmServlet.service(CfmServlet.java:223) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter(MobileDeviceDomInspectionFilter.java:121) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:510) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 84 more} ) javax.net.ssl|DEBUG|58|ajp-nio-8016-exec-5|2019-06-01 11:51:41.387 CDT|SSLSocketImpl.java:1361|close the underlying socket javax.net.ssl|DEBUG|58|ajp-nio-8016-exec-5|2019-06-01 11:51:41.387 CDT|SSLSocketImpl.java:1380|close the SSL connection (initiative) and in the exception.log I see this: "Error","ajp-nio-8016-exec-5","06/01/19","11:51:41","","um-dc5.um.umsystem.edu:3269" javax.naming.CommunicationException: um-dc5.um.umsystem.edu:3269 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:237) at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1610) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2752) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730) at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at java.naming/javax.naming.InitialContext.init(InitialContext.java:236) at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at coldfusion.tagext.net.LdapTag.getContextObj(LdapTag.java:873) at coldfusion.tagext.net.LdapTag.doStartTag(LdapTag.java:735) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:3707) at cfgetLDAP2ecfm185475925.runPage(C:\inetpub\shared\testarea\getLDAP.cfm:30) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:254) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:737) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:573) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:505) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:78) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151) at coldfusion.CfmServlet.service(CfmServlet.java:223) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter(MobileDeviceDomInspectionFilter.java:121) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:510) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:642) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:348) at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:216) ... 66 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:626) ... 78 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 84 more "Error","ajp-nio-8016-exec-5","06/01/19","11:51:41","pancf.col.missouri.edu.Testarea","An error has occurred while trying to execute query :um-dc5.um.umsystem.edu:3269.One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server. The specific sequence of files included or processed is: C:\inetpub\shared\testarea\getLDAP.cfm, line: 30 " coldfusion.tagext.net.LdapTagException: An error has occurred while trying to execute query :um-dc5.um.umsystem.edu:3269. at coldfusion.tagext.net.LdapTag.doStartTag(LdapTag.java:766) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:3707) at cfgetLDAP2ecfm185475925.runPage(C:\inetpub\shared\testarea\getLDAP.cfm:30) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:254) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:737) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:573) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:505) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:78) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151) at coldfusion.CfmServlet.service(CfmServlet.java:223) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter(MobileDeviceDomInspectionFilter.java:121) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:510) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834) Looks like Java cannot find the root authority to validate the certificate used. Is that how you read these logs? Thanks. Dave
Comment by Dave I.
30859 | June 01, 2019 05:02:50 PM GMT