Are EasySSO Server Licenses Still Available to Purchase?
Question
I am pressing Test Connection in EasySSO NTLM Authenticator and getting this message.
Why is this showing up and how can I fix this?
Error testing account abcd$ jespa.security.SecurityProviderException: Failed to retrieve property: domain.netbios.name Caused by: jespa.security.SecurityProviderException: Failed to retrieve NETLOGON domain trust information java.net.SocketTimeoutException: connect timed out
Answer
EasySSO uses DNS to discover Domain Controllers serving the domain specified in the configuration (for more details see: EasySSO NTLM Authenticator Test Connection domain.netbios.name failure to locate authority for name)
Once domain controllers have been discovered, EasySSO picks one and attempts to find what TCP port number to use for NETLOGON communication.
This is done by connecting to "RPC Portmapper" service listening on TCP port 135 on the Domain Controller side. For each Domain Controller this service will return a high number port, that is normally stable, but can be different between controllers.
This exception that your are getting happens when a firewall between the Domain Controller and the host of the Atlassian application that runs EasySSO doesn't allow connection on this high port.
You can see the IP address of the specific Domain Controller to which the connection is attempted and the port number in jespa.log file, right before the exception with this error message.
Please enable log level 4 - TRACE as described in How to get the logs article, re-attempt the test, download the log file and review.
2022-11-07 08:40:16: DNS: 'SRV' record lookup for _ldap._tcp.dc._msdcs.mydomain.org at the default server 2022-11-07 08:40:16: getAuthorityDnsNames: dc2.mydomain.org, dc1.mydomain.org 2022-11-07 08:40:16: DNS: 'A' record lookup for dc2.mydomain.org at the default server 2022-11-07 08:40:16: NETLOGON: Connecting DCERPC handle to ncacn_ip_tcp:192.168.0.11[netlogon] with identity easysso$ 2022-11-07 08:40:16: MsrpcEpmMap: ncacn_ip_tcp:192.168.0.11[netlogon] maps to port: 65313 2022-11-07 08:40:16: NETLOGON: Bind successful
The example above is of a successful interaction.
Here EasySSO goes to DNS to in line 1. DNS has two domain controllers dc1 and dc2 advertised for domain mydomain.org (line 2). EasySSO picks dc2 one, resolves its IP address via DNS (line3) to 192.168.0.11 and via RPC Portmapper service (line 4) discovers that NETLOGON port for this Domain Controller maps to TCP port 65313 (line 5) and connects to it successfully (line 6).
Since you are looking at this page, your log most likely doesn't have a line similar to line 6 from the example above, as the connection on the NETLOGON port has failed.
You will need to open TCP port shown in your log in the line 5 (search for "MsrpcEpmMap") on the firewall, for all controllers that EasySSO could be talking to in the future, i.e. do review the list of controllers returned in line 2, and make sure you've found occurrences of connection attempts to each. EasySSO will rotate through all Domain Controllers discovered for resiliency, so if you let it run for a while you should be able to verify that all controllers are reachable.
If your organisation is large, you may see a long list of domain controllers found via SRV lookup. Large organisations often group these in logical "AD Sites" e.g. "NorthAmerica" v.s. "Europe". It is advisable to restrict EasySSO to talking only with Domain Controllers in a site most closely located to the server that hosts the Atlassian application that runs EasySSO, e.g., in the same data centre, since often a server close to one AD Site won't be allowed to talk to another AS Site.
This can be done by setting "AD Site" parameter in EasySSO/NTLM/Advanced Configuration. Please review the articles in our main FAQ: Determining existing AD sites and Choosing the AD Site
See other solutions
Please review our NTLM Configuring Troubleshooting FAQs.