Hello everyone, I’m configuring the AD source and I’ve already set up IQServices and VAs that are working correctly. I imported the right certificate of AD inside VA for enabling TLS communication and it works fine. I’m having a problem in configuring a Domain , when I’m trying to test connection I have this kind of error:
Error Received:
[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that SSL communication is in place with domain. [ Error details ] Failed to connect to - dc=pista,dc=ges,dc=ferlan,dc=it : Failed to connect to server:ldap://pista.ges.ferlan.it:636 - javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching pista.ges.ferlan.it found.
If I remove that domain, the test connection is ok. Since I need to integrate that domain, where can be the problem? Thanks in advance.
The SSLHandshakeException with the specific message “No subject alternative DNS name matching pista.ges.ferlan.it found” indicates a fundamental issue with the SSL certificate installed on your Active Directory domain controller, pista.ges.ferlan.it. When SailPoint’s Virtual Appliance attempts to establish a secure LDAPS connection on port 636, it performs a validation check on the server’s certificate. This error means that the hostname you configured in SailPoint (pista.ges.ferlan.it) is not explicitly listed as a valid DNS name within the “Subject Alternative Name (SAN)” field of the certificate presented by the AD server. This mismatch prevents the VA from verifying the server’s identity, causing the secure connection handshake to fail as a security measure.
To resolve this, the problem must be addressed directly on the pista.ges.ferlan.it Active Directory domain controller, not within SailPoint ISC. You need to obtain and install a new SSL certificate for this domain controller. When requesting this new certificate from your Certificate Authority (internal or external), it is critical to ensure that pista.ges.ferlan.it is explicitly included as a DNS entry within the Subject Alternative Name (SAN) field. Once the correct certificate is installed on the AD server, you must then re-export its public key and import it into the Java Truststore (cacerts) on your SailPoint Virtual Appliance. After these steps, the secure connection test from SailPoint ISC should succeed.
I agree with @ts_fpatterson the current error you’re encountering is due to the SSL Handshake. This means your SSL is compromised due to a missmatch in the binary code and hashing process that happens under the hood.
It’s critical that you do the following step:
Certificate should be installed on the AD server, and you must then re-export its public key and import it into the Java Truststore (cacerts ) on your VA.
You are facing the issue with the new domain because they are not part of the certificate you have installed on the Virtual Appliance. What you can do is ask your AD team to have the Domain controller also added as an alias in the current certificate and once updated place these on to the VA. This should fix the issue.