Turned on TLS for my AD source. It was working on 389 and in the server field, I add the domain name. When i turn on TLS and switch to 636 it no longer works with the domain name. If i change the name in the server to one of my DCs it works. Any reason why it won’t work with the domain name? One of…

You need to have a certificate where the name of the server being requested matches the name of the response. So, I would guess that your servers are returning their host names and not the domain. You can add certificates to your virtual appliance by placing the certificate in the /home/sailpoint/…

I have add the root certificate and the sub certificate. With that, it works if i name the server in the server field. Do i need to get a specific certificate for each domain controller?

What are you calling the “sub certificate”? Is your Domain Controller signed directly by the root certificate, or by an intermediate certificate authority? Either way, you should only need the root certificate, if all of the DCs to which you connect are ultimately signed by the same same root CA. O…

Does the certificate that you are using have the mydomain.com value either in the subject of the certificate or in the subject alternate name?

@vsandhu1 Sub is the intermediate certificate. The Root and Intermediate Certificate are on the both VA and on the iqservice machine. @agutschow The root certificate is rootCA.mydomain.com Intermediate is subCa.mydomain.com That is in the subject and subject alternative name. Now when I do tes…

What happens when you run “openssl s_client -connect <DC_FQDN>:636 on your VA? Is is presenting a certificate signed by those other two?

So your root and intermediate certificates should be in the certificate chain of your AD domain certificate. Now you need to look in the certificate for the domain as Vipinjeet suggested. Make sure that the certificate chain had the intermediate and root certificates. Also verify that the name th…

Ran openssl s_client -connect <DC_FQDN>:636 on the VA It connects and I see under Certificate Chain the subca cert and the RootCa Cert. I do see Verification error: unable to get local issuer certificate. Is that an issue?

When you ran the openssl command was the domain name in the name field of the certificate or the subject alternate name for the certificate? Since your certificates are on your virtual appliance, you can try to reference the path in the openssl command to get past the verification error. Try this: …

Active Directory TLS Error

Identity Security Cloud (ISC) ISC Discussion and Questions

SailAway (Nai Saelee) April 15, 2025, 9:24pm 11

Looks like the verification error still shows up.

I don’t see the domain name, just the subCA and the rootCA
ie. DC=com,DC=mydomain,CN=subCA
DC=com,DC=mydomain,CN=rootCA

Topic		Replies	Views
Error in configuring a domain in Ad connector ISC Discussion and Questions identity-security-cloud	4	231	August 29, 2025
TLS: AD certificate issue between VA and AD ISC Discussion and Questions identity-security-cloud , connectors	13	1032	November 2, 2024
Connect to Active Directory with TLS ISC Discussion and Questions identity-security-cloud	9	1606	August 13, 2024
Issue in enabling TLS communication ISC Discussion and Questions identity-security-cloud , connectors	5	229	June 27, 2025
AD Connectivity Error ISC Discussion and Questions identity-security-cloud , active-directory	3	60	November 20, 2025

Active Directory TLS Error

Related topics