We have Password Interceptor installed on our Domain Controllers and when we checked the logs, we are receiving below error:
ERROR : “WebException raised!The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Status:TrustFailure”
We are not sure how can we resolve this issue. The password change on AD is not syncing to our IdentityIQ because of the error above.
Based online, something to do on identityiq servers self-signed certificate but we are not sure where to check and get that cert.
you have a problem with certificate. It could be expired or missing. Also, if you have an SSL connection with AD, you must import the cert on sailpoint too.
About your problem, you can find a reply on this page:PWI
The easiest way to find out if the certificate is ok is to open a browser on the DC and navigate to your SailPoint instance. If there is a certificate issue, the browser will notify you. From that notification, you should even be able to trust the certificate by adding it to the trusted certificate store in Windows. If you then refresh the page and the browser stops complaining, the password interceptor should work as well.
The screenshot you sent is what we found as well after typing webException raise. We cant figure out which certs need to be renewed. Will this be under Task or UI server? Do you have an example where you PWI Cert located?
PWI is installed on win server, so you can install the cert at server level.
About SP side, you must have the cert on Task servers, because they are the principal executor of everything, but, about me, you can install on UIs too.
Also, is a good practice install the certificate on apache:Apache cert
In everycase, if you want a secure connection with AD, you must install certs in every point of chain:
IIQ->PWI->AD or IIQ->IQService->AD
We tried and able to fix the Cert but the password is still not syncing from PWI to SailPoint even after I change my password through Active Directory.
We have 4 Domain Controller Servers. 1st Domain controller is fine after the request went thru for a Password change. But when the request went thru to 2nd, 3rd and 4th Domain Controller were getting below exceptions: Looking to see what you guys’ input and solution for below error.
“WebException raised! The remote server returned an error: (401) Unauthorized. Status:ProtocolError”
"WebException details: User is unauthorized to access: /identityiq/rest/passwordIntercept
Based on the attached recommendation on SailPoint how to resolve first option?
“The user used during PWI installation should be able to login to the IdentityIQ from the Password Interceptor computer.”
The person who installed the service is able to login into SailPoint in the Interceptor Computer [Domain Controller]
