Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IQ Platform
Known Affected Versions:
7.0.0, 7.0.0.1, 7.0.0.2, 7.1.0
Fixed In:
7.1.0.1
Opened: Nov 06, 2019 Severity: 4-Minor
When you set up an LDAP or Active Directory authentication provider that uses the LDAPS protocol on TCP port 636 with Server Certificate Validation enabled, and then disable Server Certificate Validation in the authentication provider settings you get an unexpected result. When the user tries to authenticate to the BIG-IQ, the authentication fails with the error: Unable to connect to the authentication server. java.security.cert.CertificateException: No subject alternative names present.
User authentication to BIG-IQ fails.
LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then disabled.
There are 3 potential workarounds: 1. Set up the LDAP or Active Directory authentication provider to use StartTLS on TCP port 389 instead of LDAPS on TCP port 636. Ideally, enable 'Server Certificate Validation'. This is the most secure option. 2. If your LDAP/Active Directory server does not support StartTLS and you need to use LDAPS, set up the authentication provider with 'Server Certificate Validation' enabled. This option is more secure than the next option. 3. If you need to use LDAPS and for some reason the authentication provider cannot validate the server certificate, then disable certificate validation from the very beginning. If you have first set it up with 'Server Certificate Validation' enabled: a. Delete the authentication provider. b. Restart restjavad. c. Re-create the authentication provider with 'Server Certificate Validation' disabled. This last option is not recommended, because it is less secure.
This has been fixed. User authentication to BIG-IQ does work correctly when you create an LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then you disable it.