Active Directory Connection Error

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi,

I have visited this topic “AD test connection issue”. HOwever, heresomeone stated to restart the server but which i tried (AD and VA’s). Still issue is there.

I also followed the steps mentioned in this link " Integrating SailPoint with Active Directory" but seems that I am still missing some setting.

Also, is it necessary to setup TLS if yes then from where i can obtain certificate as I do not see it in the AD server.

AWS VA’s are on Linux.

Need urgent help.

2

Hi @karan_1984,

What error are you getting?
Can you help with the log trace? Are you able to connect from IQService to AD?

Please check below two links and see if it help?

Thanks

3

Hi Ashutosh,

I am getting this error.

image
image704×390 13.2 KB

4

Hi @karan_1984,

Are you able to connect to AD via IQService ?

Thanks

5

I can login to AD server and install the IQService.

6

I also do not see the X.509 certificate is located in the Local Computer’s Personal certificate store. When logged into IQService Machine.

Is there anything needs to be done in AWS VA’s?

7

Hi Karan, it seems to me that this is a firewall issue.

Use this guide:
Virtual Appliance Troubleshooting Guide - Compass

as VA does not have Telnet, look at the netcat section for testing if you can reach AD and IQService ports.

From VA, test if you can reach ports 389 and 636 of configured domain controller. Also, test if IQService port is reachable (5050 plain text or 5051 with tls). Always perform the test with the address as is configured in the connector, for example if you configured just the ip, test ip. If you configured full qualified name, test with full qualified name.

Another test should be to not user iqservice first, and test connector with AD plain text port (389). If works, turn tls and test connector with 636 port. Then, if works, test with iqservice plain text port (5050), and finally test with tls enabled (5051).

8

Hi Julian,

While running Stunt Script “./stunt.sh [-h] [-t,p,o,l|L|u|c]” I am getting below message.

image

Seems that network connection is not set up correctly. Are there any Specific ports need to be opened for the network connection?

9

Hi Karan! Take note that the letters inside brackets are parameters. Here is a guide to use this command:

And for testing connectivity, you must use netcat inside toolbox, as Telnet is not present in VA. You should type:

$tb start
$tb session
nc -zv -w 5 FQDN PORT

there, you have to replace FQDN with the full qualfied name of your AD or IQService server, and PORT should be 389 and 636 for AD, and 5050 and 5051 for IQService.

10

Any suggestion on Firewall as how it has to be setup? As I when I am trying to ping the DC, I am getting timed out on port 389 and states operation in progress.

11

Hi @karan_1984,

This can be confirmed by network team who are deploying the virtual appliance in your organization.

Or do you use your own test environnement ?

12

Besides Ousmane suggestion with whom I agree, please confirm if it really is a firewall problem. Ping can stuck if destination server has disabled icmp responses.

Try the netcat as if it were a telnet.

  1. using fqdn: if connection is closed, port can be unreachable or fqdn is not resolvable by VA.
  2. using only server name (without anything remaining first “.”, for example if fqdn is server1.yourdomain.xyz, try using only server1): if connection is closed, may means that port is unreachable, or VA can not resolve server name.
  3. using ip: this will confirm all above. If you can reach DC, this means is absolutely a port problem (server not allowing connections to 389/636 or firewall is not letting you reach dc).

Try this 3 alternatives. In parallel, you can check network team to gain time.

13

I am again getting the same error.

image

14

Ports are open towards the servers. I am able to ping the servers on port 5050, 389 and 636 via PUTTY.

But when try to do a test connection getting the error.

15

@karan_1984 For Certificate, connect with infra team, they will give you commands to export certification and you can ask them how to install the certification in any server.

16

Hi Vaibhav,

Thank you for the reply. However, right now the issue is not with the certificate. It is unable to establish connect with my sandbox environment to test AD.

17

@karan_1984 , can you try restarting the VAs once ?

18

Tried that as well. Anything else that I should check?

19

Are you logging in with the service account as a user?
Go into ‘Services’ from the box hosting the IQService and double click on the service account, then on the ‘log on’ tab.
It should look like this:

image
image607×649 27.6 KB

Thanks,
Phil

20

Hi Phil,

As per the instruction, the IQService Account should be used with the service Account which is already being used for IQService.

I have 2 Domains and are in the different networks. I am able to connect with one but not able to connect to other domain. Ports are already opened as I am able to ping via AWS.