Article Content
Article Number | 000032468 |
Applies To | RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: 7.x |
Issue | When running the Authentication Test under Admin > System > Authentication for the Authentication Source associated with the AD Account Collector configured with UseSSL set to Yes, the test authentication fails with the following failure message: Connection could not be established with the directory server with username:{BindDN}
The following is logged in the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) at the DEBUG (or INFO) log level:
Please refer to RSA Knowledge Base Article 000030327 --- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log ffor your specific deployment if you are on a WildFly cluster or a non-WildFly platform. |
Cause | This error will occur if there is any configuration error that prevents a connection to the LDAP server. This error may occur if the trusted SSL session could not be established with the Microsoft AD LDAP server configured for the authentication source. The SSL trust for the authentication is set up separately from any configuration defined for the Identity Collector on which the authentication source is based. The authentication source can use SSL even if the Identity Collector is using clear, for example. If the authentication source is defined with UseSSL set to Yes, then ensure that the root CA and all of the intermediate signers for the certificate that are used by the AD LDAP sever are trusted in the internal trust store for the JRE used by the RSA Identity Governance & Lifecycle server. If the LDAP server certificate is signed by a public CA that is trusted already in the JRE cacerts store, this may not be necessary, but for all certificates signed by any other root CA you must trust the root CA and the entire certificate chain specifically. |
Resolution | Use the Java keytool command to add the AD root CA to the cacerts trust store for the JRE used by the RSA Identity Governance & Lifecycle WildFly server. The location of the cacerts file may vary according to the Linux distribution. SUSE LinuxFor SUSE Linux the cacerts file is typically located in
|
Notes | For additional SSL debugging option and advanced troubleshooting for SSL certificates and truststore see RSA Knowledge Base Article 000033388 -- How to enable SSL debug when using a WildFly/JBoss application server with RSA Identity Governance & Lifecycle. Note that the AD Account Collector Authentication configuration screen has separate configuration information from the AD Account collector. You must specify all settings including the BindDN and BindPassword separately from those defined for the associated collector. This information does not have to be identical to those used by the collector. Note that if the connection information defined for the authentication source is different from that defined for the collector, it is possible for a connection failure to be limited to only the authentication component. The failure message: Connection could not be established with the directory server with username:{BindDN} pertains specifically to the initial bind connection attempted using the bind information provided on the Edit Authentication Source configuration screen, and if this connection fails, no attempt is actually made to bind with the test user. The BindDN accepts any format for the username that is accepted over LDAP. Note that if the name contains spaces, the name should be quoted, and if it contains special characters, they should be escaped. For example: username@domain.com |