We have decommed old AD DC’s and published new AD DC’s in our dev environment.
After updating the new DC values in Domain settings on AD source connection page, even without selecting TLS, I am getting below error on test connection from Port 389:
We have detected an error from the managed system.
Error Received:
[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that the Active Directory Service is up and running. [ Error details ] Failed to connect to - dc=djx2,dc=com : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://server.devdomain.com:389 - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090341, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4f7c]
We have tested the test connection from our IQ server to the new DC. The test connection is working with LDAP port 389 and also with LDAPS port 636 (with TLS enabled) with same service account creds and it is working whereas when we are trying the same from Sailpoint console, it is failing.
Hi @vsekar7 Sounds like you used strong AuthN with your sucessful test and basic AuthN in your ISC setup. See if you can enable SASL on the ISC end or (preferred) go straight to TLS/SSL over 636.
[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that SSL communication is in place with domain. [ Error details ] Failed to connect to - dc=djx2,dc=com : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://server.devdomain.com:636 - javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hi @vsekar7 It is impossible for me to diagnose your SSL issue without knowledge of the environment. Root and any intermediate certs should be enough, but if the DC has used a self-signed cert then, yes, you will need to import it. Like I say, using openssl tools on the VA will help in diagnosis.
Even after completing the above steps, we are getting the below error:
We have detected an error from the managed system.
Error Received:
[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that SSL communication is in place with domain. [ Error details ] Failed to connect to - dc=djx2,dc=com : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://server.devdomain.com:636 - javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hi @vsekar7 Glad you got it sorted. If my note above about SASL explained the original error message you were receiving, please mark it as a solution to assist others in the future.