IIQ - AD - TLS Connection Failure

Hello Experts,

I am testing the IIQ AD - TLS connection after disabling the NTLM Policies from the IQService server and am getting this error, please shed some lights, also trying to understand how IIQ connects the IQService , does it uses NTLM in the backend even though TLS is enabled?

04/18/2023 14:07:04 : RpcHandler [ Thread-5 ] ERROR : "Client Authentication failed with :System.ApplicationException: Client authentication failed with error - Incorrect function
   at sailpoint.tools.Impersonator.validateClient(String user, String password, Boolean isReturnError)
   at sailpoint.rpcserver.RpcHandler.authenticateClient(String user, String password)"
04/18/2023 14:07:04 : RpcHandler [ Thread-5 ] INFO : "OutgoingResponse:
<?xml version="1.0" encoding="utf-8"?>
<RpcResponse version="1.0" requestId="c187d500-601a-41c8-b324-e88807383fce" complete="true">
      <String>Client authentication failed with error - Incorrect function</String>

NTLM is used to authenticate IIQ to the IQService via the IQService service user (as seen in your AD config’s IQService Configuration) as a method of ensuring that the incoming request is properly authenticated. All TLS handles is ensuring that the connection between the IIQ app servers and IQService is encrypted in-transit.

See the Client Authentication and TLS sections here: https://community.sailpoint.com/t5/Other-Documents/IQService/ta-p/158011

thanks Brian, that means NTLM is must to communicate between IIQ and IQService? I was thinking TLS is the alternate for the NTLM and once we disable the NTLM, IIQ should use TLS to connect the IQService, is that not correct?

thanks Kevin, this is very helpful, if am not wrong you modified the IQService .dll files provide by SailPoint?

thanks a lot Kevin, will follow up with our CSM.