CChris 58 Posted February 11, 2019 Share Posted February 11, 2019 Hi all, I am pretty new to Emby - and I am using it on my Synology DS218+ On my Synology, I have also installed the ActiveDirectoryServer and done the setup for a domain. Now, I'm trying to connect my Emby installation with LDAP, but I am not able to get it working :-( This is how I setup the LDAP Plugin in Emby:When I try to login with one of my AD Users, I am getting the following error in the Logs: 2019-02-11 17:12:33.133 Error UserManager: Error authenticating with provider LDAP *** Error Report *** Version: 4.0.1.0 Command line: /var/packages/EmbyServer/target/server/EmbyServer.exe -package synology -programdata /var/packages/EmbyServer/target/var -ffmpeg /var/packages/EmbyServer/target/ffmpeg/bin/ffmpeg -ffprobe /var/packages/EmbyServer/target/ffmpeg/bin/ffprobe -ffdetect /var/packages/EmbyServer/target/ffmpeg/bin/ffdetect -restartexitcode 121 Operating system: Unix 4.4.59.0 64-Bit OS: True 64-Bit Process: True User Interactive: False Mono: 5.18.0.240 (tarball Fri Jan 18 15:40:28 UTC 2019) Processor count: 2 Program data path: /var/packages/EmbyServer/target/var Application directory: /volume1/@appstore/EmbyServer/releases/4.0.1.0 Novell.Directory.Ldap.LdapException: LdapException: Strong Authentication Required (8) Strong Authentication Required LdapException: Server Message: BindSimple: Transport encryption required. LdapException: Matched DN: Source: mscorlib TargetSite: Void Throw() at Novell.Directory.Ldap.LdapResponse.ChkResultCode () [0x00019] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.LdapConnection.ChkResultCode (Novell.Directory.Ldap.LdapMessageQueue queue, Novell.Directory.Ldap.LdapConstraints cons, Novell.Directory.Ldap.LdapResponse response) [0x00031] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.LdapConnection.Bind (System.Int32 version, System.String dn, System.Byte[] passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x00045] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.LdapConnection.Bind (System.Int32 version, System.String dn, System.String passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x0000c] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.LdapConnection.Bind (System.String dn, System.String passwd) [0x00000] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000fb] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <8c99ead7fd9c44cab05a9d44c2163ecc>:0 LdapException: Strong Authentication Required (8) Strong Authentication RequiredLdapException: Server Message: BindSimple: Transport encryption required.LdapException: Matched DN: As far as I know, this seems to be an issue that Synology is using TLS...Any Ideas, how I can get this solved?Do I need to change something in my Synology NAS? Any help would be much appreciated Thanks and with best regards, Christoph Link to comment Share on other sites More sharing options...
CChris 58 Posted February 11, 2019 Author Share Posted February 11, 2019 I've now done some changes on my Synology...1) System Settings -> Security -> extended -> TLS/SSL Profiles -> Userdefined There, I have activated the backward compatibility for the ActiveDirectoryServer. After restarting Emby, and changing the Settings in Emby to use Port 636 and "enable SSL" I will now get the following Error in the Logs: 2019-02-11 17:46:33.128 Error UserManager: Error authenticating with provider LDAP *** Error Report *** Version: 4.0.1.0 Command line: /var/packages/EmbyServer/target/server/EmbyServer.exe -package synology -programdata /var/packages/EmbyServer/target/var -ffmpeg /var/packages/EmbyServer/target/ffmpeg/bin/ffmpeg -ffprobe /var/packages/EmbyServer/target/ffmpeg/bin/ffprobe -ffdetect /var/packages/EmbyServer/target/ffmpeg/bin/ffdetect -restartexitcode 121 Operating system: Unix 4.4.59.0 64-Bit OS: True 64-Bit Process: True User Interactive: False Mono: 5.18.0.240 (tarball Fri Jan 18 15:40:28 UTC 2019) Processor count: 2 Program data path: /var/packages/EmbyServer/target/var Application directory: /volume1/@appstore/EmbyServer/releases/4.0.1.0 System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /source/mono/external/boringssl/ssl/handshake_client.c:1132 at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <06b225350c3541b2a422a59539189a6b>:0 at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool) at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <06b225350c3541b2a422a59539189a6b>:0 --- End of inner exception stack trace --- at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap (System.Threading.Tasks.Task task, System.Int32 timeout) [0x00036] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port, System.Int32 semaphoreId) [0x000cd] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port) [0x00000] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.LdapConnection.Connect (System.String host, System.Int32 port) [0x00070] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000dc] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <8c99ead7fd9c44cab05a9d44c2163ecc>:0 Source: mscorlib TargetSite: Void Throw() at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap (System.Threading.Tasks.Task task, System.Int32 timeout) [0x00036] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port, System.Int32 semaphoreId) [0x000cd] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port) [0x00000] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Novell.Directory.Ldap.LdapConnection.Connect (System.String host, System.Int32 port) [0x00070] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000dc] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <8c99ead7fd9c44cab05a9d44c2163ecc>:0 InnerException: Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /source/mono/external/boringssl/ssl/handshake_client.c:1132 Source: mscorlib TargetSite: Void Throw() at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <06b225350c3541b2a422a59539189a6b>:0 at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool) at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <06b225350c3541b2a422a59539189a6b>:0 Link to comment Share on other sites More sharing options...
Luke 37178 Posted February 12, 2019 Share Posted February 12, 2019 Hi, what kind of SSL cert are you using on the active directory server? Link to comment Share on other sites More sharing options...
CChris 58 Posted February 12, 2019 Author Share Posted February 12, 2019 (edited) Hi, right now I'm using the default self signed certificate which will be created by the synology when the domain will be created.-- Edit:I just tried to use some let's encrypt certificates which I have created for some other sub-domains which are available on my synology.But with using them, I'm getting another error: Novell.Directory.Ldap.LdapException: LdapException: Unable to connect to server localhost:636 (91) Connect Error System.Net.Sockets.SocketException (0x80004005): Connection refused And for the AD Domain itself I can't create any let's encrypt certificate... Edited February 12, 2019 by CChris Link to comment Share on other sites More sharing options...
Luke 37178 Posted February 12, 2019 Share Posted February 12, 2019 Ok so the self-signed cert is being rejected. We have added configuration to override this in a test version of the plugin: https://emby.media/community/index.php?/topic/56793-ldap-plugin/?p=697229 A user has reported that it's not working, but we'll take another look at it soon, so you can participate there. Thanks. 1 Link to comment Share on other sites More sharing options...
CChris 58 Posted February 14, 2019 Author Share Posted February 14, 2019 Hi @@Luke, I already posted in the other topic, but I will also keeping this topic updated:1) used the newer LDAP.dll provided in the topic https://emby.media/community/index.php?/topic/56793-ldap-plugin/?p=697229 did not work for me. 2) I've switched to an Let's Encrypt Certificate, but getting the same error in the Logs than with the self-signed certificate3) I've installed Emby locally on my computer and connected to my nas - finally, this worked well with the current certificate setup...So at all, it seems to be only an issue when Emby and ActiveDirectory are running on the same (linux) machine? Link to comment Share on other sites More sharing options...
Luke 37178 Posted February 14, 2019 Share Posted February 14, 2019 I suppose that's possible, yes. Thanks for the info. 1 Link to comment Share on other sites More sharing options...
CChris 58 Posted February 15, 2019 Author Share Posted February 15, 2019 Hi @@Luke,today I did another test. I've installed emby server on another Synology DiscStation, which is connected to my AD as a Client machine.After applying the same Settings than for my working Windows-Test Server, I've tried to login a User from the AD - and:I'm getting the same error like on my other DiscStation: Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED I am still using a Let's Encrypt Certificate.So, it is not only an issue when Emby is running on the same machine, but it's more likely an issue with the OpenSSL implementation.In the other Topic, I have linked to a Topic on Stackoverflow, where I was able to find a discussion about the mono.btls provider: https://stackoverflo...nssl-internalceIt might be worth to change the provider from btls to legacy? Link to comment Share on other sites More sharing options...
Luke 37178 Posted February 15, 2019 Share Posted February 15, 2019 Wait so you're saying this is fully working on Windows? Link to comment Share on other sites More sharing options...
CChris 58 Posted February 15, 2019 Author Share Posted February 15, 2019 (edited) Yes, it is working on my windows machine, when I'm using the LDAP Server on my Synology NAS.I have the following setupNAS_1 (embyServer, ADServer)- Emby cannot connect to the AD due to the error shown aboveNAS_2, connected to the AD Server on NAS_1 (embyServer)- Emby cannot connect to the AD on NAS_1 due to the error shown aboveLocal Windows Machine, connected to the AD Server on NAS_1 (embyServer)- Emby can connect to the AD and works as expected, even with limitation to a specific user groupEdit:I will try to setup another scenario this weekend, using only the DirectoryServer (LDAP) on one of my NAS...Maybe, there are some more options available, than in the ActiveDirectoryServer implementation of Synology. Edited February 15, 2019 by CChris Link to comment Share on other sites More sharing options...
Luke 37178 Posted February 15, 2019 Share Posted February 15, 2019 Interesting, thanks for the info. Link to comment Share on other sites More sharing options...
solabc16 379 Posted February 21, 2019 Share Posted February 21, 2019 Hello @@CChris We'll have other problems if we switch to 'legacy', we need to find out why the certificate validation is failing in this specific scenario. At least when not using a self-signed certificate. It is of course working correctly for Emby Server's basic functions, such as checking for updates and accessing metadata providers. Best - James Link to comment Share on other sites More sharing options...
CChris 58 Posted February 22, 2019 Author Share Posted February 22, 2019 Hi, Is there anything in can provide to YouTube for assistance? Link to comment Share on other sites More sharing options...
Luke 37178 Posted February 23, 2019 Share Posted February 23, 2019 To youtube? Link to comment Share on other sites More sharing options...
CChris 58 Posted February 23, 2019 Author Share Posted February 23, 2019 sorry - to you. Autocorrection from my phone Haven't noticed this tonight. Link to comment Share on other sites More sharing options...
CChris 58 Posted March 17, 2019 Author Share Posted March 17, 2019 Hi There, any update on this?are there more information you might need from my side? Link to comment Share on other sites More sharing options...
solabc16 379 Posted March 17, 2019 Share Posted March 17, 2019 Hello @@CChris To confirm, you are still seeing this on your DS218+ running the latest stable 4.0.3.0? Best - James Link to comment Share on other sites More sharing options...
CChris 58 Posted March 17, 2019 Author Share Posted March 17, 2019 I haven't tried the LDAP plugin with this version, since there was no announcement, that something has been fixed in the 4.0.3.0 related to this part.I will test it and give you feedback soon Link to comment Share on other sites More sharing options...
CChris 58 Posted March 17, 2019 Author Share Posted March 17, 2019 (edited) yep, still the same: 2019-03-17 23:03:48.102 Info HttpServer: HTTP POST http://media.caina.de:8096/emby/Users/authenticatebyname. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 2019-03-17 23:03:48.395 Error UserManager: Error authenticating with provider LDAP *** Error Report *** Version: 4.0.3.0 Command line: /var/packages/EmbyServer/target/server/EmbyServer.exe -package synology -programdata /var/packages/EmbyServer/target/var -ffmpeg /var/packages/EmbyServer/target/ffmpeg/bin/ffmpeg -ffprobe /var/packages/EmbyServer/target/ffmpeg/bin/ffprobe -ffdetect /var/packages/EmbyServer/target/ffmpeg/bin/ffdetect -restartexitcode 121 Operating system: Unix 4.4.59.0 64-Bit OS: True 64-Bit Process: True User Interactive: False Mono: 5.18.0.240 (tarball Fri Jan 18 15:40:28 UTC 2019) Processor count: 2 Program data path: /var/packages/EmbyServer/target/var Application directory: /volume1/@appstore/EmbyServer/releases/4.0.3.0 System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /source/mono/external/boringssl/ssl/handshake_client.c:1132 at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <06b225350c3541b2a422a59539189a6b>:0 at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool) at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <06b225350c3541b2a422a59539189a6b>:0 --- End of inner exception stack trace --- at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap (System.Threading.Tasks.Task task, System.Int32 timeout) [0x00036] in <39ed1d1bd22847048d5b976675e00ec8>:0 at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port, System.Int32 semaphoreId) [0x000cd] in <39ed1d1bd22847048d5b976675e00ec8>:0 at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port) [0x00000] in <39ed1d1bd22847048d5b976675e00ec8>:0 at Novell.Directory.Ldap.LdapConnection.Connect (System.String host, System.Int32 port) [0x00070] in <39ed1d1bd22847048d5b976675e00ec8>:0 at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000dc] in <39ed1d1bd22847048d5b976675e00ec8>:0 at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <3d2456253cbd47f6ad5ba9987b1fa974>:0 Source: mscorlib TargetSite: Void Throw() at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap (System.Threading.Tasks.Task task, System.Int32 timeout) [0x00036] in <39ed1d1bd22847048d5b976675e00ec8>:0 at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port, System.Int32 semaphoreId) [0x000cd] in <39ed1d1bd22847048d5b976675e00ec8>:0 at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port) [0x00000] in <39ed1d1bd22847048d5b976675e00ec8>:0 at Novell.Directory.Ldap.LdapConnection.Connect (System.String host, System.Int32 port) [0x00070] in <39ed1d1bd22847048d5b976675e00ec8>:0 at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000dc] in <39ed1d1bd22847048d5b976675e00ec8>:0 at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <3d2456253cbd47f6ad5ba9987b1fa974>:0 InnerException: Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /source/mono/external/boringssl/ssl/handshake_client.c:1132 Source: mscorlib TargetSite: Void Throw() at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <06b225350c3541b2a422a59539189a6b>:0 at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool) at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <06b225350c3541b2a422a59539189a6b>:0 at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <06b225350c3541b2a422a59539189a6b>:0 Edited March 17, 2019 by CChris Link to comment Share on other sites More sharing options...
solabc16 379 Posted March 18, 2019 Share Posted March 18, 2019 Hello @@CChris Thanks for the above, it was mainly a sanity check to make I still had the right picture. The next stable for your platform will see a change of runtime environment. So I suggest we hang fire and re-evaluate at this point, I don't expect this to be in the too distant future. Best - James Link to comment Share on other sites More sharing options...
CChris 58 Posted March 19, 2019 Author Share Posted March 19, 2019 change from mono to net.core?I will keep an eye on this Link to comment Share on other sites More sharing options...
solabc16 379 Posted March 19, 2019 Share Posted March 19, 2019 ...indeed, that's what's around the corner. Best - James Link to comment Share on other sites More sharing options...
CChris 58 Posted April 30, 2019 Author Share Posted April 30, 2019 Hi, I've just updated to the latest stable today (4.1.0.26 / 4.1.1.0) and wanted to say that my LDAP is now working as expected.Thanks a lot Link to comment Share on other sites More sharing options...
Luke 37178 Posted April 30, 2019 Share Posted April 30, 2019 Thanks for the feedback ! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now