cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

How do I create a connection to a backup Active Directory server

ptc-141591
1-Newbie

How do I create a connection to a backup Active Directory server

I am configuring Intralink 9.1 M030 and have connected to our primary Active Directory server without any problems. Now I want to connect to our backup Active Directory server. I've read the Info*Engine guide and JNDI adapter guide, but can't seem to get it to work. The Info*Engine guide mentions failover capability for LDAP, but I must be missing something critical. I'm suppose I need to do something on the JNDI side and the Apache side to get this to work. Any help is appreciated.

Also, when our primary AD server went south this week (which is what started this whole thing), Windchill just hung, it never presented the login dialog - we couldn't even log in using a local Windchill account. Is this the way it's supposed to work or could that be a bug?

6 REPLIES 6

The failure you saw with the AD server unavailable is consistent with what I have seen in the past. If it can't at least talk to the AD server it won't even try to authenticate against Aphelion.

You'll first want to change Apache to authenticate against the backup AD server by changing the setting in <apache>/conf/extra/app-Windchill-Auth.conf and restarting it.

Once Apache is fixed to talk to the backup AD server you should then be able to log in as wcadmin again which should allow you to change the hostname setting in the enterprise JNDI adapter.

That should get you up and running again.

In order to avoid this in the future, I know AD can be configured with a load balancer on the front end, then you don't have to deal with the primary server being unavailable.

I haven't configured AD this way myself, but have installed Windchill integrated with AD at a customer that had AD configured in this manner.

We had a similar problem where they did maintenance on the AD node we were pointing to for our Windchill 8 PROD environment. No one could log in.

I opened a PTC TS call to get a solution. The authentication host is specified in /…/apache22/conf/extra/app-Windchill-Auth.conf as follows

<authnprovideralias ldap=" windchill-ldap=">
AuthLDAPURL ldap://servername:389/…?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN "CN=plmldap,OU=Users,OU=Global Information Technology,
OU=CFO Corporate Secretary,…"
AuthLDAPBindPassword <passwd>
</authnprovideralias>

PTC TS came back and told me that it wasn't possible to point Apache HTTP server to multiple authentication hosts. However, they offered this ---untested--- JNDI-related fix which I have not tried and don't intend to.

==========
I searched my knowledgebase and found an un-tested procedure applicable for
this call. However PTC doesn't suggest you to do this, as it may rise some
conflicts while searching the users.

The procedure is to add multiple JNDI Adapter to the Windchill in app-Windchill-
AuthProvider.xml file and wt.properties file. Each and every JNDI Adapter will
have a different search base, but the users DN should be same if all the Domain
controller is having the same user data and associated DN.

The probable problem in configuring and applying this in the Windchill
environment is, you may get multiple results for the same user while searching
for the user in Principal Administrator Window.

I have not implemented and tested this at my machine. If you want to configure
this at your end, I would strongly suggest you to first test this configuration
on your Test Environment and if it succeeds then only go for the production.
==========

Since you seem to be going in that direction, maybe this info could be useful to you.

I then got in touch with some people closer to R&D and they also confirmed that it was not possible to specify more than one authentication server at the Apache level. I've put in an enhancement request.

At least, if you know that its the AD server that is down and have another one available as a backup, it's a quick fix to just modify the Apache configuration and get your users working again.

In Reply to Ross Jessen:
The failure you saw with the AD server unavailable is consistent with what I have seen in the past. If it can't at least talk to the AD server it won't even try to authenticate against Aphelion.

You'll first want to change Apache to authenticate against the backup AD server by changing the setting in <apache>/conf/extra/app-Windchill-Auth.conf and restarting it.

Once Apache is fixed to talk to the backup AD server you should then be able to log in as wcadmin again which should allow you to change the hostname setting in the enterprise JNDI adapter.

That should get you up and running again.

In order to avoid this in the future, I know AD can be configured with a load balancer on the front end, then you don't have to deal with the primary server being unavailable.

I haven't configured AD this way myself, but have installed Windchill integrated with AD at a customer that had AD configured in this manner.


Also you can create a password file on the OS for Apache with your administrators so that you bypass AD.

We had the same issue - twice (A/D server went down). I put in a call - message from tech support - no way available to provide for a backup.

If you figure out a way pls post.

I have run into this a few times. Our Primary AD is offsite with a
secondary onsite. When the connection goes down between sites, I just
create a redirect in the hosts file on our application server pointing
any connection to the Primary AD to the onsite secondary. It takes
about 5 seconds to set-up the redirect, and does'nt require any restart
of the servers.

Wow! That’s a great idea!

You might as well go all the way and use an alias all the time. That would be to configure Apache to point to an alias name, let’s say “ADserver”, and add “ADserver” to you hosts file, pointing to on of the AD servers. That way, if that AD server fails, you modify the hosts file and you don’t have a funny situation where your config says it’s pointing to a machine while it’s actually another that’s doing the work.

We have a similar setup for our master server. We have tiered environments and the master is always referred to as an alias (plmbkg) on all the other nodes of the Windchill cluster. The idea behind this is that if a hardware failure happens on the master server, all we need to do is configure another server to be master and modify the hosts files on the other machines to point to this new master, without having to reconfigure all the nodes. One less thing to worry about.



In Reply to Joseph Anderson:
I have run into this a few times. Our Primary AD is offsite with a
secondary onsite. When the connection goes down between sites, I just
create a redirect in the hosts file on our application server pointing
any connection to the Primary AD to the onsite secondary. It takes
about 5 seconds to set-up the redirect, and does'nt require any restart
of the servers.

Top Tags