Hi @jbailey 

I have one use case.

Users use SSO from client computers and administrator use basic login from Server side not from client computer. 

PetrH

Why would administrators need to use basic login?

@jbailey 

Because it is demilitarization zone where is not available connection to a server provided the SSO 😄 for example IBM WebSEAL

PetrH

In our case, the access with Basic authentication are also internal and we don't have DMZ in our case.

Not for administrators.  All users is getting connection with LDAPS OK, but the middleware failed for unknown reasons.

So for your middleware... any LDAP certs need to be imported in the middleware keystores as well. Did you try running the openssl command from your server that the middleware is on? 

I thought they should have because this is all internal.  But it is worth a try to ask the middleware admin.

Also what errors are showing up in the logs for the middleware?

From Apache error log and Wireshark, we are getting the error messages below:

1. User Authentication Failed (from Wireshark)

2. Cannot connect to ldaps server 

What's strange is regular user login fine and Creo registering fine.  But the backend ETO app access will have the above errors.

Is the username / password in an enterprise AD or something like Windchill DS?

I also do find it odd that an end user client can connect via username/password but not your middleware client. Was this working in your ADFS configuration? 

Yes.  We are changing our SSO from ADFS to PingOne with MFA.

Our user cases are like this:

- Regular users will be with PingID + MFA

- Services integration will use Basic authentication (such as middleware and Engineering to Order Configurator tool, etc).

In the second item above works well with LDAP connection, but we are getting authentication fail with LDAPS connection and PTC is not able to provide a solid case where were the root cause of this denial....

Any implementation steps high level are very much appreciated!

So with Ping they should be able to set up an auth flow that directs users to the appropriate authentication method.

What is the error you see when LDAPs fails? if there is anything with PKIX in the error then it is an issue with certificate trust (the LDAP server certificate is not in the offending keystore).

Also, from the machine that is trying to connect to your DS via ldaps.... The windchill server will have openssl on it... in a command prompt you can run the following command and see what it returns (should come back with a server cert in pem format along with connection info)

openssl s_client -connect <ldap server fqdn like: myAD.mycorp.com>:636 

Try the openssl command, but the command ends there after hitting enter.

It seems that it is being blocked somewhere, but our firewall and NetScaler set it to pass through.  Not sure if PTC cloud allows this....

After a while, the openssl got this back:

socket: Bad file descriptor
connect:errno=9

This sounds like the problem. When a user attempts to authenticate, apache (or IIS) sends the username/password to LDAP for verification... which means that your Windchill web server (and the application portion) needs to have outbound access to the Active Directory (or other LDAP v3 DS), and the server where the AD/DS resides needs to have inbound access from the Web/App server. You could potentially have two firewall issues here... inbound and outbound on both sides.

Also, I would recommend at some point to consider Oauth for your integration authentications. I know some tools may not support that, however that is a much more secure method.

It can be done with PTC provided tools as well (PingFederate). I have an entirely SAML authentication policy that allows admins to use secondary accounts for separation of duties.