cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X

integrate Windchill with Active Directory

Go to solution
MS_Santos
14-Alexandrite
14-Alexandrite
‎Jan 30, 2024 05:47 AM
‎Jan 30, 2024 05:47 AM

integrate Windchill with Active Directory

Good morning ,

I am starting to install Windchill server in the company when I get to the part of integrating with Active Directory I am having difficulty, port 389 closes by telnet, I can ping the server with Active Directory, but it always returns the same error would I have something I can do to make this connection?

Labels:
Preview file
33 KB
Preview file
38 KB
0 Kudos
Notify Moderator
ACCEPTED SOLUTION

Accepted Solutions
avillanueva
22-Sapphire II
22-Sapphire II
(To:MS_Santos)
‎Feb 02, 2024 08:45 AM
‎Feb 02, 2024 08:45 AM

I am not sure the server matters in this configuration. You need to find the right search branch level that can see all possible users who will want to connect. I have not done it but you can also setup a Windchill group in AD of folks who can authenticate and be allowed in. How have you been making out?

View solution in original post

0 Kudos
Notify Moderator
9 REPLIES 9
avillanueva
22-Sapphire II
22-Sapphire II
(To:MS_Santos)
‎Jan 30, 2024 07:02 AM
‎Jan 30, 2024 07:02 AM

See if there are any firewall blocks between your server and the AD server. You can download an LDAP browser to test the connection. I believe Softerra is free but never used it. I am sure there are others. You can also test with your own credentials since you should be able to authenticate. Are you sure that Administrator is correct? In my connection to AD, I specified the entire path to my LDAP user like this:

CN=<user>,OU=Service_Accounts,OU=<somegroup>,DC=<my company>,DC=local

Using an LDAP browser will help you get the connection information right.

Notify Moderator
MS_Santos
14-Alexandrite
14-Alexandrite
(To:avillanueva)
‎Jan 30, 2024 09:56 AM
‎Jan 30, 2024 09:56 AM

Another server is not Domain, does it need to be?

0 Kudos
Notify Moderator
avillanueva
22-Sapphire II
22-Sapphire II
(To:MS_Santos)
‎Jan 30, 2024 12:24 PM
‎Jan 30, 2024 12:24 PM

Not sure I understand your question?

0 Kudos
Notify Moderator
MS_Santos
14-Alexandrite
14-Alexandrite
(To:avillanueva)
‎Jan 31, 2024 05:36 AM
‎Jan 31, 2024 05:36 AM

Good morning , I used Softerra as mentioned in the comment above I was able to close with my Active Directory , ports 389 , 3268 or 3269 are open I did a test using TELNET and it was normal , I had to create an OU in my Active Directory and Put a user inside with my administrator is not working. This server I'm setting up isn't added to my Domain, would it be good to add it?

 

In the printout below is the connection and in green the folder I had to create

Preview file
20 KB
Preview file
9 KB
0 Kudos
Notify Moderator
avillanueva
22-Sapphire II
22-Sapphire II
(To:MS_Santos)
‎Feb 02, 2024 08:45 AM
‎Feb 02, 2024 08:45 AM

I am not sure the server matters in this configuration. You need to find the right search branch level that can see all possible users who will want to connect. I have not done it but you can also setup a Windchill group in AD of folks who can authenticate and be allowed in. How have you been making out?

0 Kudos
Notify Moderator
MS_Santos
14-Alexandrite
14-Alexandrite
(To:avillanueva)
‎Feb 02, 2024 12:10 PM
‎Feb 02, 2024 12:10 PM

Hello,

It's giving username and password error , strange that the LDAP file goes with all credentials

0 Kudos
Notify Moderator
mmeadows-3
14-Alexandrite
14-Alexandrite
(To:MS_Santos)
‎Jan 30, 2024 12:37 PM
‎Jan 30, 2024 12:37 PM

I'm assuming this is 12.0 or later, where Windchill doesn't need an LDAP.

 

Start by installing Apache Directory Studio on your computer and validating the LDAP connection information.  Apache Directory Studio is free and it walks you through the connection so you can confirm everything you were given by IT.  Once you are confident the values work, then install Windchill.  You can install it on the Windchill server if IT lets you.  That is the ultimate validation to confirm LDAP related ports aren't being blocked.

 

LDAP Server name: This can be an LDAP server or load balancer.  It should reside close to the Windchill server for performance and stability reasons.

LDAP Port: (3268 or 3269)  These are the global catalog ports.  In general, we don't use ports 389 or 636 with Active Directory.

LDAP Protocol: (ldap or ldaps)  Microsoft recommends LDAPS since 2020.  If it is LDAPS, you also need to load the LDAP certificate in the Java keystore (jssecacerts).

User account for searching Active Directory: This account has read permissions to the entire LDAP.

User account Password: 

Search Base: All users and groups exposed to Windchill must reside below this DN.

 

In addition to these, you should also have:

The Windchill site administrator account defined in Active Directory.

A group defined in Active Directory that only includes Windchill user accounts.  This acts as a filter for excluding users who shouldn't be using Windchill.

 

Notify Moderator
jbailey
17-Peridot
17-Peridot
(To:MS_Santos)
‎Jan 30, 2024 07:40 PM
‎Jan 30, 2024 07:40 PM

Ping may be off for security reasons. Are they using ldaps? if it is ldaps, you will need the cert for the domain controller / AD server in the java keystore, and connect over port 636.

 

Apache has a free directory browser, but you will still need the proper connection string...

https://directory.apache.org/studio/

 

To easily test if it is listening on LDAPS .. .go to a machine with Openssl (like your Windchill machine) and in a command prompt type

openssl s_client -connect <AD Server FQDN>:636

If it responds with a cert, it is likely that the standard ldap port (389) is closed and you will have to connect over ldaps. The return of that command will return the server certificate in pem format that you can add to a text file and import into your Windchill java keystore. Additionally, AD may be configured to require a bind username. If that's the case, any connection you make to AD will require an AD username/password to connect and that would be set in the apache config and mapcredentials.

0 Kudos
Notify Moderator
MS_Santos
14-Alexandrite
14-Alexandrite
(To:jbailey)
‎Jan 31, 2024 05:38 AM
‎Jan 31, 2024 05:38 AM

Good morning , I used Softerra as mentioned in the comment above I was able to close with my Active Directory , ports 389 , 3268 or 3269 are open I did a test using TELNET and it was normal , I had to create an OU in my Active Directory and Put a user inside with my administrator is not working. This server I'm setting up isn't added to my Domain, would it be good to add it?

In the printout below is the connection and in green the folder I had to create

Preview file
9 KB
0 Kudos
Notify Moderator
Announcements

Contact Community Management
Top Tags