Pros and cons of using AD connector without iqservice?

jsosa · March 15, 2024, 5:59pm

Hi! We configured some AD source with iqservice, which test trhowed an error that I will copy at the end of the post.

We ended open a support case, where they told us to clear iqservice configuration, and it really worked. Now I am guessing that IDN is going to AD directly from VA, without using IQService, am I right? If so, does this represent a limitation on connector functionality?

Client has 3 domains, the first one was configured by Sailpoint and works fine through IQService. Other 2 domains only works with blank iqservice configuration (each domain has a dedicated iqservice server). If we fill iqservice information, test throws:

[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that: a) SearchDN is valid. b) The user is active. c) The user is not locked. d) Domain certificate is available in trusted root folder on IQService machine if Domain Configuration TLS is enabled. [ Error details ] Exception occurred while executing the RPCRequest: Errors returned from IQService. "Failed to connect to the server for dc=xxxx,dc=yyyy:The specified directory service attribute or value does not exist. The specified directory service attribute or value does not exist. . HRESULT:[0x8007200A]Failed to connect to the server for dc=xxxx,dc=yyyy:The specified directory service attribute or value does not exist. The specified directory service attribute or value does not exist. . HRESULT:[0x8007200A]"

jsosa · March 15, 2024, 6:03pm

Just to clarify, both AD and IQService configurations are in clear text with default ports (389, 5050). Ping and telnet from IQService to AD 389 works, ping and telnet from VA to IQService 5050 works, user configuration is right (verified in the fact that we can connect to AD without iqservice), and the service user used for both forest/domain/iqservice configuration is member of domain admins group.

Anyway, the intention of this post entry is to know if iqservice makes a diference at the moment of performing connector capabilities, not to troubleshoot this error.

jesvin90 · March 18, 2024, 6:56am

Hi @jsosa,

As long as you have added the IQ service configuration in the connector, the Test connector operation validates the direct connection as well as the connection through IQService. A blank IQ service config value skips the IQService connectivity check.

The aggregation operation runs through the direct connection through VA and you really don’t require the IQ service for this read operation.

IQ service comes into picture when you actually start writing into AD, which is your provisioning activity.

system · May 17, 2024, 6:57am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Active directory connector IIQ Discussion and Questions identityiq , connectors	21	1980	March 5, 2024
IDN Active Directory connector gMSA ISC Discussion and Questions identity-security-cloud , connectors	4	92	January 3, 2025
Does IQService required for Provisioning using Azure AD connector? ISC Discussion and Questions identity-security-cloud , provisioning	7	501	January 9, 2024
Demo tenant cannot connect to IQService ISC Discussion and Questions identity-security-cloud	8	593	May 25, 2024
Identity now connector error ISC Discussion and Questions	2	757	June 30, 2022

Pros and cons of using AD connector without iqservice?

Related topics