Need help to Setup IQService on new window server

Vatanjain11 · March 12, 2025, 6:58pm

Hi Developers,

Requirement: Set up IQService on a new Windows server. The Domain Controller, VA, AD service account, and IQService service account will remain the same.

Application/Connector Type: Active Directory.

Errors:

Timeout error while testing the connection.
Connection reset error detected from the managed system Error Received : Connection reset.

Actions Taken:

Installed IQService and added the service account for logon.
Added the new server to the VA “host.yaml” file list.
Verified that TLS is open and listening.
Ensured the port is open through the firewall.
Installed the X.509 certificate on the IQService server and in the VA certificate directory.
Installed the domain controller certificate in the new server’s “trusted root directory.”

Thank you in advance for your help. I really appreciate it.

Regards,
Vatan

agutschow · March 12, 2025, 8:10pm

Try to restart your iqservice to enable debug logging:

IQService.exe -l 3

Try your test again and look at your log files to see if there are additional errors.

David_Norris · March 12, 2025, 8:37pm

What’s your verification procedures for 3 and 4?

Vatanjain11 · March 13, 2025, 4:06pm

HI @agutschow
Thank you for response
i got below error msg from IQService

03/13/2025 15:03:47 : ServiceEntryPoints [ Thread-5 ] DEBUG : "ENTER OnStart"
03/13/2025 15:03:47 : ServiceEntryPoints [ Thread-5 ] INFO : "Listening on TLS port 5252 and non-TLS port 5052"
03/13/2025 15:03:47 : RpcServer [ Thread-5 ] INFO : "TCP Listener createdSystem.Net.Sockets.TcpListener"
03/13/2025 15:03:47 : RpcServer [ Thread-5 ] INFO : "TLS TCP Listener createdSystem.Net.Sockets.TcpListener"
03/13/2025 15:03:47 : RpcServer [ Thread-5 ] INFO : "Listening Non - TLS thread created"
03/13/2025 15:03:47 : RpcServer [ Thread-5 ] INFO : "Listening TLS thread created"
03/13/2025 15:03:47 : ServiceEntryPoints [ Thread-5 ] INFO : "Checking and starting UpdateService if configured for the IQService instance..."
03/13/2025 15:03:47 : ServiceEntryPoints [ Thread-5 ] DEBUG : "EXIT OnStart"
03/13/2025 15:50:15 : RpcServer [ Thread-8 ] DEBUG : "listening on port : 5252"
03/13/2025 15:50:15 : RpcServer [ Thread-8 ] DEBUG : "Execution registry has [0] items."
03/13/2025 15:50:15 : Util [ Thread-8 ] DEBUG : "After Splitting : DNS Name=******.com"
03/13/2025 15:50:15 : RpcHandler [ Thread-8 ] **ERROR : "An Exception occurred while accepting new client requestSystem.Exception: No matching certificate found for MYCERT at sailpoint.rpcserver.RpcHandler..ctor(Hashtable services, Hashtable registry, TcpClient client, String port, Boolean useTLS, String subject, String tlsVersion, String registeredClients, String serialNumber)"**
03/13/2025 15:50:15 : RpcHandler [ Thread-8 ] DEBUG : "ENTER Close"
03/13/2025 15:50:15 : RpcHandler [ Thread-8 ] DEBUG : "EXIT Close"
03/13/2025 15:50:15 : RpcServer [ Thread-8 ] DEBUG : "New Listener Thread Created..."```

Could you please help on this ?

Thanks
Vatan

Vatanjain11 · March 13, 2025, 4:16pm

Hi Terry

here is some log trace that confirm it:
03/13/2025 15:03:47 : ServiceEntryPoints [ Thread-5 ] INFO : “Listening on TLS port 5252 and non-TLS port 5052”
03/13/2025 15:03:47 : RpcServer [ Thread-5 ] INFO : “TCP Listener createdSystem.Net.Sockets.TcpListener”
03/13/2025 15:03:47 : RpcServer [ Thread-5 ] INFO : “TLS TCP Listener createdSystem.Net.Sockets.TcpListener”
03/13/2025 15:03:47 : RpcServer [ Thread-5 ] INFO : “Listening Non - TLS thread created”
03/13/2025 15:03:47 : RpcServer [ Thread-5 ] INFO : “Listening TLS thread created”

Regards
Vatan

David_Norris · March 13, 2025, 4:49pm

That would only confirm step 3 locally. How’s step 4 ensured?

Vatanjain11 · March 13, 2025, 4:59pm

Hi Terry

Port is open, this is confirmed by our IT networking team. they have send me screenshot for confirmation, Due to security issue i can not share here.

but yes, Port is open!

Thanks

David_Norris · March 13, 2025, 5:11pm

Is there a firewall between IQService and the GC and / or DCs? (be it a hardware and / or software firewall)

Vatanjain11 · March 13, 2025, 6:02pm

Hi Terry

Nothing besides windows firewall

thanks
Vatan

suresh4iam · March 13, 2025, 9:19pm

Seeing “No matching certificate found” error in your log. So seems the issue is with cert, make sure you have separate certs for each DC if you have multi DCs. Try to install the X.509 certificate in Personal folder in IQServices server.
Do you have LB for IQServices? If so, make sure you are referring the LB in Source settings and referring the correct cert in IQService server by using -m option. Also make sure you have installed the IQServices with TLS option.

Try to run the aggregation and if it is succeeded, then it will narrow down the issue to IQService servers.

schattopadhy · March 14, 2025, 5:44am

@Vatanjain11 have you tried to check the below commands from va
./tb nc -zv -w 5 "ip address of domaincontroller 636
openssl s_client -connect :636

Check if you are able to connect from VA using the below commands?

Vatanjain11 · March 19, 2025, 6:33pm

Thank you Suresh.
Your suggestion click new idea in my mind.
when i checked my VA SSL to it was pointing to old cert.
then i fixed it though -m command and it worked.

thank you so much

Vatanjain11 · March 19, 2025, 6:34pm

Thanks Shantanu for you suggestion.

system · May 18, 2025, 6:35pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.