I am currently onboarding a Windows Local connector in SailPoint IdentityNow / ISC. During the Test Connection step, I receive the following error:
Exception occurred while executing the RPCRequest: Errors returned from IQService.
The specified username is invalid.
Here are the details:
I have IQService installed on a separate Windows server, and this same IQService instance is successfully handling another Active Directory source with no issues.
For the new Windows Local source, I am able to log into the target server using remote login (RDP) with the exact same credentials configured in the source.
However, the Test Connection in SailPoint fails with the error shown above.
My question: Is it mandatory to install IQService directly on each Windows server being onboarded as a Windows Local source?
Or should it be possible to use the same IQService instance on a different server to connect to multiple Windows Local endpoints?
Any guidance or clarification would be greatly appreciated. Thanks!
No — IQService does NOT need to be installed on every Windows server.
A single IQService instance can manage multiple Windows Local sources, BUT it must be able to authenticate locally on each target machine using valid credentials in the correct format.
Can you please confirm the username format that you are using is the same as below:
Yes, I have used the username in the DOMAIN\username format.
To validate the connector behavior, I tested the Windows Local (OOTB) connector against the Windows server where IQService is actually installed, and the Test Connection succeeds without any issues.
However, when I try to onboard another Windows server using the same connector and IQService instance, the Test Connection fails with the error mentioned earlier:
“Errors returned from IQService. The specified username is invalid.”
The same account is able to log in interactively and RDP into the target server without any problems, so the credentials are confirmed working.
Let me know if there are any additional configuration steps required for connecting to multiple servers through a single IQService instance.
IQService is not running on the machine being tested, so the credential validation fails before even verifying the username
For any Windows Local source:
IQService must be installed and running locally on each Windows server whose local accounts you want to manage.
You can still use the same IQService service account, but you need one installation per target server.
This is explicitly stated in SailPoint’s design guidelines for Windows Local provisioning.
You can manage multiple Windows Local sources from the same physical server, but only if that server is the actual endpoint.
Cross‑server provisioning is not supported.
Important
IQService installation now enforces TLS configuration by default to improve security and safeguard your environment. To proceed with the installation, ensure you have completed the necessary prerequisites for TLS configuration. For more information, refer to Configuring TLS and Client Authentication for IQService.
Start the remote registry service on the managed system.
Allow an exception for File and Printer Sharing in the Windows firewall.
Ensure that the account being used to configure the connection has Administrator privileges on the Windows host machine.
Deselect Disable NonLocal Lookup and Disable Qualifying Local Objects before running the account aggregation to provision the non-local(domain) users. See Advanced Settings for configuration.
Please install IQService and try testing it again and see if it resolves your issue
Is it mandatory to install IQService directly on each Windows server being onboarded as a Windows Local source?