I am testing the IIQ AD - TLS connection after disabling the NTLM Policies from the IQService server and am getting this error, please shed some lights, also trying to understand how IIQ connects the IQService , does it uses NTLM in the backend even though TLS is enabled?
04/18/2023 14:07:04 : RpcHandler [ Thread-5 ] ERROR : "Client Authentication failed with :System.ApplicationException: Client authentication failed with error - Incorrect function
at sailpoint.tools.Impersonator.validateClient(String user, String password, Boolean isReturnError)
at sailpoint.rpcserver.RpcHandler.authenticateClient(String user, String password)"
04/18/2023 14:07:04 : RpcHandler [ Thread-5 ] INFO : "OutgoingResponse:
<?xml version="1.0" encoding="utf-8"?>
<RpcResponse version="1.0" requestId="c187d500-601a-41c8-b324-e88807383fce" complete="true">
<RpcErrors>
<List>
<String>Client authentication failed with error - Incorrect function</String>
</List>
</RpcErrors>
</RpcResponse>"
NTLM is used to authenticate IIQ to the IQService via the IQService service user (as seen in your AD config’s IQService Configuration) as a method of ensuring that the incoming request is properly authenticated. All TLS handles is ensuring that the connection between the IIQ app servers and IQService is encrypted in-transit.
thanks Brian, that means NTLM is must to communicate between IIQ and IQService? I was thinking TLS is the alternate for the NTLM and once we disable the NTLM, IIQ should use TLS to connect the IQService, is that not correct?