Active Directory test connection is failing with "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"

We have decommed old AD DC’s and published new AD DC’s in our dev environment.

After updating the new DC values in Domain settings on AD source connection page, even without selecting TLS, I am getting below error on test connection from Port 389:

We have detected an error from the managed system.

Error Received:

[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that the Active Directory Service is up and running. [ Error details ] Failed to connect to - dc=djx2,dc=com : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://server.devdomain.com:389 - [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090341, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4f7c]

Hi @vsekar7 Have you tried googling AD error code 8 - 00002028?

Hi @j_place ,

We have tested the test connection from our IQ server to the new DC. The test connection is working with LDAP port 389 and also with LDAPS port 636 (with TLS enabled) with same service account creds and it is working whereas when we are trying the same from Sailpoint console, it is failing.

Hi @vsekar7 Sounds like you used strong AuthN with your sucessful test and basic AuthN in your ISC setup. See if you can enable SASL on the ISC end or (preferred) go straight to TLS/SSL over 636.

Hi @j_place ,

After the below settings, we are getting the below error message. But still we have the valid Root Cert and Issuer Cert installed in the VA.

Also can you check and let me know if we need to install the AD DC’s Cert in VA ?

Under Forest Settings:

Under Domain Settings:

Error:
Error Received:

[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that SSL communication is in place with domain. [ Error details ] Failed to connect to - dc=djx2,dc=com : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://server.devdomain.com:636 - javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Hi @vsekar7 See TLS Configuration on Virtual Appliances for tips on SSL config. I would also suggest using openssl tools on the VA to diagnose.

Hi @j_place ,

can you please check and let me know if we need to install the AD DC’s Cert in VA.

Regards,

Venkat

Hi @vsekar7 It is impossible for me to diagnose your SSL issue without knowledge of the environment. Root and any intermediate certs should be enough, but if the DC has used a self-signed cert then, yes, you will need to import it. Like I say, using openssl tools on the VA will help in diagnosis.

@vsekar7 as described here Virtual Appliance Troubleshooting Guide - Compass

Your AD TLS Certificates should be deployed into /home/certificates

Your AD Team can deliver this.

Or you can retrieve it your self directly in your VA :

Connect in your VA and launch this openssl command :

openssl s_client -connect yourADdomain_url:port

This will display the server public key certificate informations,

Copy / paste the section including -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- into a new file named for example ad_certificate.cer

Add/move/create the ad_certificate.cer in the directory /home/certificates

Restart the ccg service :

sudo systemctl restart ccg

You can then test again the connection.

Hi @baoussounda ,

Even after completing the above steps, we are getting the below error:

We have detected an error from the managed system.
Error Received:

[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that SSL communication is in place with domain. [ Error details ] Failed to connect to - dc=djx2,dc=com : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://server.devdomain.com:636 - javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

@vsekar7 - Vengatesan, Seems the certification is not bind properly the exported certificates should be stored in the VA /home/sailpoint/certificates/

Here is the command that you can export the certificates from VA and stored it that above specified path in your Virtual Appliance.

openssl s_client -connect yourserverdomain.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > /home/sailpoint/certificates/ADCer.pem 

openssl s_client -connect yourserverdomain.com:5051 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > /home/sailpoint/certificates/IQServiceCer.pem  

Regards,

Kannan

Hi @kannan_sb85 ,

After the AD team shared the root DC of the new DC, we are able to establish connectivity.

Regards,

Venkat

Hi @vsekar7 Glad you got it sorted. If my note above about SASL explained the original error message you were receiving, please mark it as a solution to assist others in the future.

@vsekar7 - Perfect! Seems the issue got fixed, please mark appropriate answer as accepted solution.