Aleks,
The Root CA should work, and Mostafa's KB on how to verify is probably the first place to check to make sure the Cert is the right one.
Other trouble-shooting techniques are to use LDAPsearch to browse Active Directory on the Domain Cotroller and TCPDump.to capture network traffic from Auth Manager to the DC, to see if the encryption/protocols are negotiated successfully or if the the Request is simply rejected by the DC.
For TCPDump
SSH to the Virtual Appliance with the operating system account rsaadmin.
sudo su -
<same password again> This makes you root
# cd /usr/sbin
./tcpdump -i eth0 -s 1514 -Z root port 389 -w /tmp/ldap.pcap
./tcpdump -i eth0 -s 1514 -Z root port 636 -w /tmp/ldaps.pcap
chmod 777 /tmp/ ldap*.pcap This grants full permissions to everyone, makes it easy to copy file off with WinSCP and use WireShark to analyze. If you need to open a case and send us the packet capture.
for LDAPsearch, Open a second SSH and type the following command lines:
sudo su root
cd /usr/bin
Note: Type the following command but changing according to customer’s environment.
./ldapsearch -h { Windows_Domain_Controller} -D { LDAP_UserID } -w { LDAP_UserID_Password } -b {Windows_Domain} -s sub "(objectcategory=person)" sn givenname samaccountname
I am providing the following example from my Lab for your reference.
Variables:
Windows_Domain_Controller = 2k8r2-dc1.2k8r2-vcloud.local
LDAP_UserID = administrator@2k8r2-vcloud.local
LDAP_UserID_Password = mypass99!
Windows_Domain = dc=2k8r2-vcloud,dc=local
./ldapsearch -h 2k8r2-dc1.2k8r2-vcloud.local -D administrator@2k8r2-vcloud.local -w mypass99! -b "dc=2k8r2-vcloud,dc=local" -s sub "(objectcategory=person)" sn givenname samaccountname
Hat tip to Sergio Dias for that LDAPsearch info.
