Hi all,
Trying to connect to AD for the first time in sandbox, and have stumbled upon this error:
Can anyone shed any light before I book in some professional services time:
Details:
This source couldn’t be connected due to an error.
[ InvalidConfigurationException ]
[ Possible suggestions ] Ensure that SSL communication is in place with domain.
[ Error details ] Failed to connect to - dc=test,dc=net : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://vmprtuksadc001.test.net:636 - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR 2] Failed to connect to server:ldap://vmprtuksadc002.test.net:636 - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It’s like this error is due to TLS certificate issue as you TLS communication on port 636 with your active directory are you sure that the certificate is valid ?
In your configuration you can only replace port 636 by 389 and test. If it’s work that confirm the TLS certificate issue.
Also, you can retrieve the current certificate from your Active directory by asking your AD team or inspect existing certificate with following command in your VA :
TLS Tips and Tricks
Inspect certificates using the openssl command, where certname.cer is the name of the certificate.
openssl x509 -in /home/sailpoint/certificates/certname.cer -text
Check the certificate details of a TLS endpoint, where server.domain.local is the FQDN of the host and port is the port to make the TLS connection on.
openssl s_client -connect server.domain.local:port
You can copy the certificate from this command, it is the block containing and including -----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----.
Important note !
For security reason i suggest you to not display your DC base path dc=enxxx and your Ad host in your post. You can replace this values with random value when you posting exemple : dc=xyz,dc=xyz and ldap:/hostname:636 -
you are trying to connect to AD with a secure connection but IDNOW cannot verify the certificate.
It could depends that certificate is not valid or not exist or IDNOW cannot read it.
Also, you try to connet on port 636(SSL port) but your string uses ldap.
Try to use ldaps with 636 port:
ldaps://vmprtuksadc001.enniqa.net:636
or
ldap://vmprtuksadc001.enniqa.net:389 → no ssl connection.
If the problem persist check the certificate status on AD and on VA
When using port 389, I get the same error:
Error Received:
[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that the Active Directory Service is up and running. [ Error details ] Failed to connect to - dc=test,dc=net : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://vmprtuksadc001.test.net:389 - java.net.SocketException: Connection reset [ERROR 2] Failed to connect to server:ldap://vmprtuksadc002.test.net:389 - java.net.SocketException: Connection reset
Currently looking at the certificates for any information
Turns out that the certificate had been corrupted along the way, so that has been fixed.
Then we were stuck on a timeout error because port 5050 were not open - that has been fixed.
Now we have this error:
Using either strong (389) or simple (636) authenitication.
but they are clearly in the config:
Now the error message is this:
If tried both ‘prefix’ and ‘prefix@suffix’, and both give the same message
@Sriindugula I’ve had that document open for days now. I’ve already submitted 2 corrections to it. Its not the most useful pieces of instruction and trouble shooting
