Errors returned from IQService. Buffer cannot be null. Parameter name: buffe

Hi all,

I am setting up gMSA account in place of service account for IQService.

i have already set up gMSA account as IQService logon user and is able to retrieve the password. The service is up and running.

I have completed following steps per the documentation of sailpoint for gMSA account setup.

On IQService Server Side:

1. Confirm IQService set to Non TLS port .
2. Use gMSA account as IQService Logon User. Provide necessary permissions.

**On IIQ AD application configuration side: **

1. IQService Configuration: Provide only IQService Host and IQService Port information. (Port to be used for non TLS). Uncheck “Use TLS” flag.

2. Provide Forest Configuration and Domain Configuration with user field as gMSA account. Check “Use gMSA as a Service Account” and Authentication and Security as Strong (SASL). Other fields as required.

3. Fill other required details and perform Test Connection.

Upon test connection, I am ending up with Detected password less authentication, but failed to retrieve passwords with error: Exception occurred while executing the RPCRequest: Errors returned from IQService. Buffer cannot be null. Parameter name: buffer

I referred this troubleshooting post but did not help much : Support Articles - IQService test connection fails with "Error: Buffer cannot be null" - Customer Support

Has any one faced and resolved such issue?

@rabshrestha Can you check which user you have register while installing IQService. If it is not your gMSA, then unregister the same. Then try to do the test connection.

image1463×135 28.8 KB

image980×102 11.2 KB

Thanks,

Sivaprakash.

@rabshrestha This seems to be an issue with IQService Registration. As you are using gMSA, you need to make sure IQService also registered with the same gMSA name.

Based on other articles, if you have Strong SASL configured then the communication relies on a valid Service Principal Name. Please check if SPN is missing or duplicated. It should be set to your gMSA username.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

Hi Neel,

upon registering the gMSA account for IQService and doing a test connection, we now have an error as follows:

Detected password less authentication, but failed to retrieve passwords with error: Exception occurred while executing the RPCRequest: Errors returned from IQService. Client Authentication Failed: Please validate your credentials and IQService Configuration

Hi Siva,

Upon registering the gMSA account on IQService, we come up with new test connection error:
Detected password less authentication, but failed to retrieve passwords with error: Exception occurred while executing the RPCRequest: Errors returned from IQService. Client Authentication Failed: Please validate your credentials and IQService Configuration

Hi Neel, upon executing the command Get-ADServiceAccount -Identity “” | Select-Object *, i have following values where UPN and SPN are empty. Could this be the root cause?

image830×277 39.4 KB

I have the previous service account and gmsa account both registered for IQService. I have set the gMSA as the IQService logon user as well. gmsa account also has r/w permissions on the iqservice folder too.

image409×469 6.9 KB

image965×513 75.8 KB

these are my ui configurations:

image1392×606 32.3 KB

image1381×628 32.7 KB

image1372×196 8.74 KB

@rabshrestha You have misunderstood. I asked you to unregister if its not your gMSA.
You should register IQService with gMSA to make it work. Also you should add UPN to your account. Refer below:

image1087×332 16.4 KB

Hi Siva,

I have unregistered other accounts and only kept gmsa account. we have the upn for gmsa account and set in the UI configuration for domain and forest configurations. gmsa has been provided IQService Installation folder full control permission and to the IQService registry instance full control.

The test connection gives the client authentication error.

image1464×818 209 KB

Hi @rabshrestha Try this format: domainname\serviceaccount (i.e., sailpoint\Administrator). If you are still getting the authentication error, I would suggest you log into the IQService machine using the service account to see if you are able to log in. I hope it works.

Thanks,

PVR.

I believe the issue is related to the IQService user (service account) configuration. The IQService user must not be left blank when using a gMSA.
When a gMSA is used, an IQService service account is required, and it must have password retrieval permissions for the gMSA account.

Complete the following steps and then try to connect:

1. Use the service account as the IQService user, and enter the password for the same service account in the password field.

2. Grant the gMSA account password retrieval access to the IQService user (Service account).

3. Register the IQService user (Service account) on the IQService server (if this has not already been done).

@rabshrestha Is this issue still open? Have you tried above mentioned recommendations.

i am having same issue in the new version- I just don’t get the option to enter password during registration of the iqservice user account

having same trouble here unable to see the password entry prompt in iqservice server

i am able to login with the service account inot the iq box so the password is good - the uac just does not pop up to enter the password during registration

@GKACHALIA you just need to register user with domain/username.. no need to enter password. IIQ will send a request with credentials to bind the user to make necessary AD calls.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.