cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

integrate Windchill with Active Directory

MS_Santos
13-Aquamarine

integrate Windchill with Active Directory

Good morning ,

I am starting to install Windchill server in the company when I get to the part of integrating with Active Directory I am having difficulty, port 389 closes by telnet, I can ping the server with Active Directory, but it always returns the same error would I have something I can do to make this connection?

1 ACCEPTED SOLUTION

Accepted Solutions
avillanueva
22-Sapphire I
(To:MS_Santos)

I am not sure the server matters in this configuration. You need to find the right search branch level that can see all possible users who will want to connect. I have not done it but you can also setup a Windchill group in AD of folks who can authenticate and be allowed in. How have you been making out?

View solution in original post

9 REPLIES 9
avillanueva
22-Sapphire I
(To:MS_Santos)

See if there are any firewall blocks between your server and the AD server. You can download an LDAP browser to test the connection. I believe Softerra is free but never used it. I am sure there are others. You can also test with your own credentials since you should be able to authenticate. Are you sure that Administrator is correct? In my connection to AD, I specified the entire path to my LDAP user like this:

CN=<user>,OU=Service_Accounts,OU=<somegroup>,DC=<my company>,DC=local

Using an LDAP browser will help you get the connection information right.

MS_Santos
13-Aquamarine
(To:avillanueva)

Another server is not Domain, does it need to be?

avillanueva
22-Sapphire I
(To:MS_Santos)

Not sure I understand your question?

MS_Santos
13-Aquamarine
(To:avillanueva)

Good morning , I used Softerra as mentioned in the comment above I was able to close with my Active Directory , ports 389 , 3268 or 3269 are open I did a test using TELNET and it was normal , I had to create an OU in my Active Directory and Put a user inside with my administrator is not working. This server I'm setting up isn't added to my Domain, would it be good to add it?

 

In the printout below is the connection and in green the folder I had to create

avillanueva
22-Sapphire I
(To:MS_Santos)

I am not sure the server matters in this configuration. You need to find the right search branch level that can see all possible users who will want to connect. I have not done it but you can also setup a Windchill group in AD of folks who can authenticate and be allowed in. How have you been making out?

MS_Santos
13-Aquamarine
(To:avillanueva)

Hello,

It's giving username and password error , strange that the LDAP file goes with all credentials

mmeadows-3
13-Aquamarine
(To:MS_Santos)

I'm assuming this is 12.0 or later, where Windchill doesn't need an LDAP.

 

Start by installing Apache Directory Studio on your computer and validating the LDAP connection information.  Apache Directory Studio is free and it walks you through the connection so you can confirm everything you were given by IT.  Once you are confident the values work, then install Windchill.  You can install it on the Windchill server if IT lets you.  That is the ultimate validation to confirm LDAP related ports aren't being blocked.

 

LDAP Server name: This can be an LDAP server or load balancer.  It should reside close to the Windchill server for performance and stability reasons.

LDAP Port: (3268 or 3269)  These are the global catalog ports.  In general, we don't use ports 389 or 636 with Active Directory.

LDAP Protocol: (ldap or ldaps)  Microsoft recommends LDAPS since 2020.  If it is LDAPS, you also need to load the LDAP certificate in the Java keystore (jssecacerts).

User account for searching Active Directory: This account has read permissions to the entire LDAP.

User account Password: 

Search Base: All users and groups exposed to Windchill must reside below this DN.

 

In addition to these, you should also have:

The Windchill site administrator account defined in Active Directory.

A group defined in Active Directory that only includes Windchill user accounts.  This acts as a filter for excluding users who shouldn't be using Windchill.

 

jbailey
17-Peridot
(To:MS_Santos)

Ping may be off for security reasons. Are they using ldaps? if it is ldaps, you will need the cert for the domain controller / AD server in the java keystore, and connect over port 636.

 

Apache has a free directory browser, but you will still need the proper connection string...

https://directory.apache.org/studio/

 

To easily test if it is listening on LDAPS .. .go to a machine with Openssl (like your Windchill machine) and in a command prompt type

openssl s_client -connect <AD Server FQDN>:636

If it responds with a cert, it is likely that the standard ldap port (389) is closed and you will have to connect over ldaps. The return of that command will return the server certificate in pem format that you can add to a text file and import into your Windchill java keystore. Additionally, AD may be configured to require a bind username. If that's the case, any connection you make to AD will require an AD username/password to connect and that would be set in the apache config and mapcredentials.

MS_Santos
13-Aquamarine
(To:jbailey)

Good morning , I used Softerra as mentioned in the comment above I was able to close with my Active Directory , ports 389 , 3268 or 3269 are open I did a test using TELNET and it was normal , I had to create an OU in my Active Directory and Put a user inside with my administrator is not working. This server I'm setting up isn't added to my Domain, would it be good to add it?

In the printout below is the connection and in green the folder I had to create

Top Tags