We have an AD source configured that has been working for a few months. The certificates were replaced on the DC’s a few days ago (root and intermediate did not change.) We have put the new DC certificates on the VA cluster servers and the IQService server. The AD source is not returning to a healthy state and gives this error on test connection:
We have detected an error from the managed system.
Error Received:
[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that SSL communication is in place with domain. [ Error details ] Failed to connect to - dc=cnvr,dc=xxxxxxx,dc=com : java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://ord-dc303.cnvr.xxxxxxx.com:636 - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [ERROR 2] Failed to connect to server:ldap://ord-dc304.cnvr.xxxxxxx.com:636 - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I was able to partially resolve the issue. It looks like on the IQS server, the updated certificates were not in the correct trust store. Once I moved them there, the source test completes successfully. The problem I’m seeing now is when tunning a manual aggregation, it fails with the following error:
[ERROR for domain - dc=cnvr,dc=xxxxxxx,dc=com] java.lang.RuntimeException: Failed to read after retrying 5 times, from : dc=cnvr,dc=xxxxxxx,dc=com - ldap://ord-dc303.cnvr.xxxxxxx.com:636 - [LDAP: error code 50 - 00002105: LdapErr: DSID-0C090A87, comment: Error processing control, data 0, v2580]
Each time I’ve run it, it scans a difference number of accounts.
The problem turned out to be that Delta Aggregation was enabled, but the AD service account did not have the additional permissions to support that. Once I disabled that option, the AD connection is healthy and working again.
