FME Flow Troubleshooting: Windows Active Directory

Liz Sanderson
Liz Sanderson
  • Updated

Full Guide: FME Flow Troubleshooting Guide

Are you encountering issues configuring FME Flow (formerly FME Server) for Windows Active Directory? Please read below for some common troubleshooting tips, questions, and resources.

In 2023, FME Server underwent a name change and is now known as FME Flow. Since this article discusses features present in previous versions of FME, it will refer to both names interchangeably, using the appropriate product name based on the year the feature was introduced. For more information on the rebranding, see our website

Initial Troubleshooting

  • Have you followed all the configuration steps? (This doc is for the most recent FME version, please use the correct version for your installation)

  • If you can log in by typing in your credentials and are having problems logging in using SSO only, please review this troubleshooting guide instead.

  • If you are using 2018.0 or prior the username is case-sensitive, so confirm it is being entered exactly as it displays in the web interface after being imported.

  • Is it just one user who can’t log in, or all users?

  • Have you checked in the log files? In particular check the fmeserver.log for messages with '(Active Directory)' or '(Single Sign-On)'. These files are located in <FMEFlowFileShare>/Resources/Logs/Core. See the Authentication Failures section below for resolutions to common errors.

Authentication Failures

SASL (Authentication Method) and GSSAPI (SASL Mechanism)

(Active Directory) Exception: "LDAPException(resultCode=82 (local error), errorMessage='An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) caused by KrbException: Pre-authentication information was invalid (24) caused by KrbException: Identifier doesn't match expected value (906)'

OR

(Active Directory) Exception: "LDAPException(resultCode=82 (local error), errorMessage='An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: javax.security.auth.login.LoginException: Client not found in Kerberos database (6) caused by KrbException: Client not found in Kerberos database (6) caused by KrbException: Identifier doesn't match expected value (906)')"

SASL (Authentication Method) and GSSAPI (SASL Mechanism)

ERROR main 408010 : (Active Directory) Exception: "LDAPException(resultCode=82 (local error), errorMessage='An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: javax.security.auth.login.LoginException: Message stream modified (41) caused by KrbException: Message stream modified (41)')"
ERROR main 408003 : (Active Directory) Failed to connect to an available server, or no servers were available.
FATAL main 405405 : Security Manager init FAILED

 

SASL Authentication (Kerberos V5)

(Active Directory) Authenticating user "..." using SASL mechanism "GSSAPI" with KDC address "..." and realm "..."...
(Active Directory) Successfully established a new connection to "...".

The above message may appear multiple times.

(Active Directory) Failed to authenticate user.

 

SASL Authentication (Kerberos V5)

(Active Directory) Exception: "LDAPException(resultCode=82 (local error), errorMessage='An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: javax.security.auth.login.LoginException: Clock skew too great (37) caused by KrbException: Clock skew too great (37) caused by KrbException: Identifier doesn't match expected value (906)')"

Common Issues/Questions

“After saving my Active Directory Configuration, it fails to connect when using SSL Encryption Method=SSL”

In the Active Directory page, I see the status of my connection is unavailable and reports the error:

An error occurred while communicating with directory server (81)

In the fmeserver.log I see additional (Active Directory) errors relating to an SSL Handshake Exception. This indicates FME failed to verify the SSL Certificate because the Certificate Authority was not trusted. This error can be resolved by importing the CA Certificate. Please see the documentation for more information about this error and instructions on importing this certificate.

“FME is unable to use SASL Authentication for my Active Directory connection”

The fmeserver.log reports the error:

(Active Directory) Not using SASL for authentication, because configuration is incomplete.

This error is caused when Authentication Method =SASL but the Realm was not explicitly specified to a fully-qualified domain name. Please see the documentation for how to resolve this issue.

 

“The fmeserver.log reports I am using an unsupported SASL Mechanism”

Using the SASL Authentication method, I cannot connect to my Active Directory.

(Active Directory) SASL mechanism "..." is not supported by Active Directory server.

Please review our documentation for more information on how you can find out what SASL mechanisms are supported by an Active Directory Server.

 

“Is it possible to use Azure Active Directory or SAML Authentication for FME Flow security?”

Yes! Azure Active Directory was added in 2021.2 and SAML was introduced in 2022.0

 

“How can I add a new Active Directory user to FME Flow after I have configured FME Flow”

After you have set up FME Flow to successfully connect with your Active Directory Controller you must import the users that you wish to have access to FME Flow. You can read more about this in our documentation.

 

“Does FME support a connection to Active Directory via a group managed service account (gMSA)?”

This question was first asked on the Community, testing showed it is not currently possible to connect to an Active Directory using a gMSA as the Search Account, or to import a gMSA as an FME Flow User.

 
“In FME Server 2019 I am seeing an 'Important System Message' pop up every time I access FME Server”

In FME Server 2019 we discovered a critical security vulnerability, to find out more about whether your version is affected and deploy the appropriate patch please see this article.

If you have installed the patch but are still constantly seeing the broadcast message please check out the FAQ section in the article linked above for steps on how to stop this pop-up from displaying.
 

"In FME Server 2020 when I try and import an active directory user I get a duplicate key error"

This issue occurred in FME 2020.0 and was resolved in FME 2020.0.2 is apparent after a Restore contains users that have since been renamed, moved or deleted from Active Directory. Please see this article for more information. 


"After setting up a Connection to my Active Directory, when I try and import a user or group I get a null object error"
A null object was provided where a non-null object is required (non-null index 0). Thread stack trace: getStackTrace(Thread.java:1559) / ensureNotNull(Validator.java:61) / createSubstringFilter(Filter.java:633) / searchUsers(FMEUidActiveDirectoryConnection.java:948) / searchForUsers(LdapSearchServer.java:366) / executeRequest(SecurityRequestsDispatcher.java:1274) / handleRequestSecurity(FMEServer.java:507) / handleFMEServerClientRequest(FMEServer.java:368) / handleFMEServerClientRequest(RequestHandler.java:98) / processClientRequest(RequestHandlerBase.java:856) / readClientRequest(RequestHandlerBase.java:589) / handleClientRequest(RequestHandlerBase.java:772) / run(RequestHandlerBase.java:946) / run(Thread.java:748).
Prior to 2020.2, FME Server only worked with Microsoft Active Directory, if you are using another LDAP with an older version then you'll be able to successfully save the connection details but run into this error once you try to import users or groups. See this idea for more.

"FME is unable to communicate with my Active Directory Server" 
After adding your Active Directory connection in the web UI the status is "An error occurred while communicating with directory server (8)" and in the fmeserver.log reports Active Directory errors: 
Exception: "00002028: LdapErr: DSID-0C09027F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839"
Your AD server is likely set up with SSL. You'll need to make sure the connection details in FME are set to use port 636 and you have followed these instructions to import the AD SSL certificate into FME Flow's trusted cacerts. 
 
After configuring with Active Directory and adding users you try to log in and see this error in the fmeserver.log:
(Directory Server) Exception: "LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090346: LdapErr: DSID-0C090590, comment: AcceptSecurityContext error, data 80090346, v2580 ', ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb)"

If you are using FME Flow 2023.2.4 or earlier, this is the result of Channel Binding being set to Always, which is not supported. As of FME Flow 2024.0+, LDAP Channel Binding for Active Directory configurations is supported, and we encourage users who require this to upgrade.

 

Other Resources

Documentation
FME Flow Administrator Training

 

Are you still experiencing issues?

Please consider posting to the FME Community if you are still experiencing issues that are not addressed in this article. There are also different support channels available.

 

Have ideas on how to improve this?

You can add ideas or product suggestions to our Ideas Forum.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.