@sha257  Reviewing all your configuration files is not the first step here. I suspect your MutualTLS exchange between your NiFi and NiFi-Registry is not successful resulting in that connection resulting as "anonymous" user.  (the user you see in the NIFi-Registry UI in upper right corner before you click login to access as a different authenticated user. Put the following class in DEBUG on your NiFi-Registry via the logback.xml:org.apache.nifi.registry.web.security.authentication Start tailing the nifi-registry-app.log You'll start seeing some DEBUG log lines (will be noisy) Then attempt to start version control on some process group in NiFi which will open the version control UI n NiFi. In the nifi-registry-app.log at that moment in time you will see one of two things:   2025-04-10 13:54:53,360 DEBUG org.apache.nifi.registry.web.security.authentication.IdentityFilter: Attempting to extract user credentials using X509IdentityProvider 2025-04-10 13:54:53,361 DEBUG org.apache.nifi.registry.web.security.authentication.IdentityFilter: Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='<NIFI certificate DN>', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@713e0007}   above tells you NiFi presented a trusted and clientAuth certificate at you will see that certificate's DN. In this case make sure that DN exists as a user in NiFi-Registry (case sensitive) and give that user read on "Can manage Buckets" and read, write, delete on "Can proxy user requests". or you'll see....   2025-04-10 14:01:24,162 DEBUG org.apache.nifi.registry.web.security.authentication.IdentityFilter: Attempting to extract user credentials using X509IdentityProvider 2025-04-10 14:01:24,162 DEBUG org.apache.nifi.registry.web.security.authentication.x509.X509CertificateExtractor: No client certificate found in request. 2025-04-10 14:01:24,162 DEBUG org.apache.nifi.registry.web.security.authentication.IdentityFilter: Attempting to extract user credentials using JwtIdentityProvider 2025-04-10 14:01:24,163 DEBUG org.apache.nifi.registry.web.security.authentication.AnonymousIdentityFilter: Set SecurityContextHolder to anonymous SecurityContext   Above tells you the mutualTLS exchange was not successful and the connection was established as the "anonymous" user.  In this case you need to address your certificate issue so that mutualTLS can be successful. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

Changing: <property name="Authentication Strategy">START_TLS</property> to <property name="Authentication Strategy">LDAPS</property> fixed the error but I get : Caused by: org.apache.nifi.registry.security.exception.SecurityProviderCreationException: Unable to locate initial admin CN=xxx,OU=Service Users,OU=User Accounts,DC=xxx,DC=xxx,DC=xx,DC=net to seed policies at org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:476) at org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:436) at org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider.doOnConfigured(FileAccessPolicyProvider.java:158) at org.apache.nifi.registry.security.authorization.AbstractConfigurableAccessPolicyProvider.onConfigured(AbstractConfigurableAccessPolicyProvider.java:64) ... 109 common frames omitted ... View more

@sha257  The TLS properties need to be configured if your LDAP endpoint is secured meaning it requires LDAPS or START_TLS authentication strategies.   Even when secured, you will alwasy need the TLS truststore, but may or may not need a TLS keystore (depends on your LDAP setup). For unsecured LDAP url access, the TLS properties are not necessary.  Even unsecured (meaning connection is not encrypted), the manager DN and manager Password are still going to be required to connect to the ldap server. Based on information shared, I cannot say what your ldap setup does or does not require.  You'll need to work with your ldap administrators to understand the requirements for connecting to your ldap. Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more