Share all details about your problem, including any error messages you may have received.
Hi all, we have configured an application to be connected to an Active Directory - Direct application type. We have cleared all firewall and set up the relevant NSG and UDRs to clear the network path to the Active Directory. Also tested by going into the SailPoint server to do an nslookup to the hostname and the domain is cleared too.
However with the configuration in the SailPoint ui we are getting an error. Would like to check if there is any conifguration missing on the AD that needs to be setup for SailPoint to connect?
The error message you’re encountering—java.net.UnknownHostException—indicates that the SailPoint IdentityIQ application is unable to resolve the hostname of your Active Directory (AD) server. Even though you can perform an nslookup from the SailPoint server, the Java Virtual Machine (JVM) running the SailPoint application may not be using the same DNS settings as the underlying operating system.
Possible Reasons and Solutions:
Java DNS Resolution Issues:
Description: Java applications use their own DNS resolver, which may not always align with the OS-level DNS configurations.
Solution:
Check JVM DNS Settings: Ensure that the JVM is configured to use the correct DNS servers. You can set the DNS servers explicitly by adding the following JVM options:
* **Flush Java DNS Cache:** If the hostname was recently updated, Java might be using a cached DNS entry. Restarting the SailPoint application or flushing the Java DNS cache can help.
Incorrect Hostname Configuration:
Description: The hostname specified in the SailPoint configuration might be incorrect or not fully qualified.
Solution:
Use Fully Qualified Domain Name (FQDN): Ensure you’re using the FQDN of the AD server in the SailPoint configuration.
Update Hosts File: Add an entry in the /etc/hosts (Linux) or C:\Windows\System32\drivers\etc\hosts (Windows) file to map the AD server’s IP to its hostname.
Network or Firewall Restrictions on AD Side:
Description: While you’ve cleared firewalls and NSGs on the SailPoint side, the AD server might have its own firewall settings blocking incoming connections.
Solution:
Open Required Ports on AD Firewall: Ensure that ports 389 (LDAP) or 636 (LDAPS) are open on the AD server’s firewall.
Enable Remote Connections: Verify that the AD server is configured to accept remote LDAP connections.
Missing or Incorrect Credentials:
Description: SailPoint requires valid credentials to authenticate with AD.
Solution:
Verify Credentials: Ensure that the username and password provided in the SailPoint configuration have the necessary permissions in AD.
Account Not Locked or Expired: Make sure the account isn’t locked or expired.
SSL Certificate Issues (If Using LDAPS):
Description: If you’re connecting over LDAPS, SSL certificate issues can prevent a successful connection.
Solution:
Install Certificates: Import the AD server’s SSL certificate into the Java keystore used by SailPoint.
Truststore Configuration: Ensure that the JVM trusts the certificate by configuring the javax.net.ssl.trustStore JVM property.
DNS Suffix and Search Domains:
Description: If the domain suffix is not automatically appended, the hostname may not resolve.
Solution:
Configure DNS Suffixes: Add the domain suffix in the network settings or explicitly use the FQDN.
Proxy Settings Interference:
Description: Proxy configurations can interfere with direct network connections.
Solution:
Bypass Proxy for Local Addresses: Configure the JVM to bypass the proxy for local addresses using:
-Dhttp.nonProxyHosts="*.yourdomain.com|localhost"
* **Disable Proxy Settings:** If a proxy isn't required, ensure that no proxy settings are configured.
Verify Network Connectivity from JVM:
Description: The application might be running in a different environment (e.g., Docker container) with its own network settings.
Solution:
Test Connectivity Within JVM Environment: Run a simple Java program within the same JVM to test hostname resolution.
Check Container Network Settings: If using containers, ensure the network settings allow DNS resolution.
@shijingg -
No, you do not necessarily need a separate IQService for each Active Directory (AD) application or domain in SailPoint IdentityIQ. A single IQService instance can handle multiple AD domains and applications, provided it has the necessary network connectivity and permissions to access those domains.
Here’s how it works:
Single IQService for Multiple Domains:
Connectivity: The IQService must be installed on a Windows machine that has network access to all the AD domains you intend to manage.
Permissions: The service account running the IQService needs appropriate permissions in each domain to perform required operations like password resets, account creations, etc.
Configuration: In IdentityIQ, each AD application (representing a domain) can be configured to point to the same IQService instance by specifying the same IQService host and port in the application configuration.
When Multiple IQServices Are Necessary:
Network Segmentation: If the domains are in separate networks with no direct connectivity, you may need an IQService instance within each network segment.
Security Policies: Organizational policies might restrict cross-domain authentication or service account permissions, necessitating separate IQService deployments.
Performance Considerations: For very large environments, distributing the load across multiple IQService instances can improve performance and fault tolerance.
Best Practices:
Centralized Deployment: If possible, deploy a centralized IQService to simplify management and reduce overhead.
Service Account Permissions: Ensure the service account has the least privileges necessary for all domains it manages.
Testing: Before full deployment, test the configuration to confirm that the IQService can perform all required operations across the different domains.
Conclusion:
You can use a single IQService instance for multiple Active Directory applications in IdentityIQ as long as it can communicate with and has the necessary permissions for each domain. Assess your network architecture and security requirements to determine the best deployment strategy for your environment.
