Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

AD connection not working in prod setup

Diwakar
Regular Contributor
Regular Contributor

We are using attached AD connection for prod setup but its not working and getting error 'Error While Test connection: Connection Failed'. The same exact settings are working fine in non prod environment.

All required ports are opened, no issue with the firewall as well and AD prod IP is also added to DNS resolver against ticket(1632648). We have tried the connection with both hostname  and direct IP address as well in URL but its not working and getting different errors in logs.

Attaching log screenshot for your reference. Please assist.

16 REPLIES 16

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Diwakar 

Could you please check if the certificate is valid, if not try to add the new certificate and get the service restarted, please share the relevant log as the log attached above doesn't have any relevant information why the connection is failing.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Hi Sudesh,

We have checked certificates are valid only, Restarted the service but still the same issue from both way(when url used as hostname and url used as direct IP).

Below are logs. 


----Logs when using hostname as url-----------
2023-06-13T17:21:34+05:30-ecm-2023-06-13T11:51:33.56879427Z stdout F 2023-06-13 11:51:33,568 [http-nio-8080-exec-2] DEBUG ldap.SaviyntGroovyLdapService - server, managedn ldaps://SR31XXXX.ad.yXXX.com:636CN=adma938473,CN=T0_Users,CN=Administration,DC=ad,DC=yXXX,DC=com
2023-06-13T17:21:34+05:30-ecm-2023-06-13T11:51:33.56883727Z stdout F 2023-06-13 11:51:33,568 [http-nio-8080-exec-2] DEBUG ldap.SaviyntGroovyLdapService - Checking for url = ldaps://SR31XXX.ad.yXXX.com:636
2023-06-13T17:21:34+05:30-ecm-2023-06-13T11:51:33.631180649Z stdout F 2023-06-13 11:51:33,630 [http-nio-8080-exec-2] ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url
2023-06-13T17:21:34+05:30-ecm-2023-06-13T11:51:33.631202749Z stdout F javax.naming.CommunicationException: SR31023.ad.yXXX.com:636 [Root exception is java.net.UnknownHostException: SR31XXX.ad.yXXX.com]


----Logs when using Direct IP as url----------
2023-06-13T17:28:15+05:30-ecm-2023-06-13T11:58:14.840357835Z stdout F 2023-06-13 11:58:14,840 [http-nio-8080-exec-9] DEBUG ldap.SaviyntGroovyLdapService - server, managedn ldaps://10.102.1X.X:636CN=admaXXXX,CN=T0_Users,CN=Administration,DC=ad,DC=yXXXX,DC=com
2023-06-13T17:28:15+05:30-ecm-2023-06-13T11:58:14.840370235Z stdout F 2023-06-13 11:58:14,840 [http-nio-8080-exec-9] DEBUG ldap.SaviyntGroovyLdapService - Checking for url = ldaps://10.102.18.5:636
2023-06-13T17:28:15+05:30-ecm-2023-06-13T11:58:14.924017817Z stdout F 2023-06-13 11:58:14,923 [http-nio-8080-exec-9] ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url
2023-06-13T17:28:15+05:30-ecm-2023-06-13T11:58:14.924056217Z stdout F javax.naming.CommunicationException: 10.102.1X.X:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.102.1X.X found]

Please assist.

Thanks.

Diwakar
Regular Contributor
Regular Contributor

Please provide some update to this thread.

Thanks.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Diwakar,


URL Log Indicates (that the DNS resolved issue)
IP Log indicates that it's a certificate issue., (SSLHandshakeException) means the certificate is not valid.

Please get a clean restart of the services with the help of the Support Agent.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Hi Sudhesh,

We did the clean restart with the help of support agent yesterday and today we again tested the connection but its still the same issue and error we are getting from both URL and Direct IP in logs.

Please suggest next.

Thanks.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Diwakar,

Have you had an opportunity to verify the connectivity without the SSL port (636) instead of using the non-SSL port 389? Were you able to establish a successful connection?

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Yes Sudesh, we already validated with non ssl port(389) as well but again we are seeing the same error. Below is the log snippet for your reference.

----------------Logs-----------------------

2023-06-15T11:29:20+05:30-ecm-2023-06-15T05:59:19.888908149Z stdout F 2023-06-15 05:59:19,888 [http-nio-8080-exec-7] DEBUG ldap.SaviyntGroovyLdapService - server, managedn ldap://sr31****.ad.test.com:389CN=adma9*****,CN=T0_Users,CN=Administration,DC=ad,DC=test,DC=com
2023-06-15T11:29:20+05:30-ecm-2023-06-15T05:59:19.888929249Z stdout F 2023-06-15 05:59:19,888 [http-nio-8080-exec-7] DEBUG ldap.SaviyntGroovyLdapService - Checking for url = ldap://sr31023.ad.test.com:389
2023-06-15T11:29:20+05:30-ecm-2023-06-15T05:59:19.908891726Z stdout F 2023-06-15 05:59:19,908 [http-nio-8080-exec-7] ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url
2023-06-15T11:29:20+05:30-ecm-2023-06-15T05:59:19.908914426Z stdout F javax.naming.CommunicationException: sr31023.ad.test.com:389 [Root exception is java.net.UnknownHostException: sr31****.ad.test.com]

 

Please suggest next.

Thanks.

Hi @Diwakar ,

Have you tried using direct IP via non-SSL port? Is the error same there?

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

Diwakar
Regular Contributor
Regular Contributor

Hi Naveen,

Yes, We also tried with direct IP via non-ssl port but then we are getting new error(LDAP ERROR CODE:49). Its strange if its password issue then we should be getting the same error while using as URL as well right? But with URL against non ssl port we are seeing (unknownHostexception)

----Logs----

2023-06-15T11:24:12+05:30-ecm-2023-06-15T05:54:11.512900651Z stdout F 2023-06-15 05:54:11,512 [http-nio-8080-exec-3] DEBUG ldap.SaviyntGroovyLdapService - server, managedn ldap://10.102.18.5:389CN=adma938XXX,CN=T0_Users,CN=Administration,DC=ad,DC=test,DC=com
2023-06-15T11:24:12+05:30-ecm-2023-06-15T05:54:11.512917851Z stdout F 2023-06-15 05:54:11,512 [http-nio-8080-exec-3] DEBUG ldap.SaviyntGroovyLdapService - Checking for url = ldap://10.102.1X.X:389
2023-06-15T11:24:12+05:30-ecm-2023-06-15T05:54:11.57363306Z stdout F 2023-06-15 05:54:11,573 [http-nio-8080-exec-3] ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url
2023-06-15T11:24:12+05:30-ecm-2023-06-15T05:54:11.57366496Z stdout F javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]

Any further thought on this?

Thanks.

Diwakar
Regular Contributor
Regular Contributor

Hi Sudesh,

Our AD connection is working with non ssl port now with new updated CN but its still not working with SSL port(636) with root certificate which we added during our zoom call. We also did clean start from saviynt side but its still the same.

Below is the latest logs.

2023-06-15T17:37:21+05:30-ecm-2023-06-15T12:07:21.263886558Z stdout F 2023-06-15 12:07:21,263 [http-nio-8080-exec-3] DEBUG ldap.SaviyntGroovyLdapService - Connection is 9:: AD

2023-06-15T17:37:21+05:30-ecm-2023-06-15T12:07:21.263944558Z stdout F 2023-06-15 12:07:21,263 [http-nio-8080-exec-3] DEBUG ldap.SaviyntGroovyLdapService - enable_dclocator = false

2023-06-15T17:37:21+05:30-ecm-2023-06-15T12:07:21.265360761Z stdout F 2023-06-15 12:07:21,265 [http-nio-8080-exec-3] DEBUG ldap.SaviyntGroovyLdapService - server, managedn ldaps://SR31023.ad.yara.com:636CN=SVC-Saviynt-ProdAD,OU=Service Accounts,OU=Administration,OU=Connect,DC=ad,DC=yara,DC=com

2023-06-15T17:37:21+05:30-ecm-2023-06-15T12:07:21.265380461Z stdout F 2023-06-15 12:07:21,265 [http-nio-8080-exec-3] DEBUG ldap.SaviyntGroovyLdapService - Checking for url = ldaps://SR31023.ad.yara.com:636

2023-06-15T17:37:21+05:30-ecm-2023-06-15T12:07:21.283003397Z stdout F 2023-06-15 12:07:21,282 [http-nio-8080-exec-3] ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url

2023-06-15T17:37:21+05:30-ecm-2023-06-15T12:07:21.283027197Z stdout F javax.naming.CommunicationException: SR31023.ad.yara.com:636 [Root exception is java.net.UnknownHostException: SR31023.ad.yara.com]

Please assist further.
Diwakar.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Diwakar,

Did you try using the IP, instead of the hostname?

Thanks,

 

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Yes Sudesh, we tried with Direct IP(port 636) as well, with IP we are getting SSL handshake error. Below are logs. So only way its working with Non SSL port(389) with Direct IP. Also as you have also seen in our troubleshooting session we are using correct certificate as well so not sure why its not working.

2023-06-15T20:42:56+05:30-ecm-2023-06-15T15:12:56.207016531Z stdout F 2023-06-15 15:12:56,206 [http-nio-8080-exec-3] DEBUG ldap.SaviyntGroovyLdapService - server, managedn ldaps://10.102.XX.XX:636CN=SVC-Saviynt-ProdAD,OU=Service Accounts,OU=Administration,OU=Connect,DC=ad,DC=test,DC=com
2023-06-15T20:42:56+05:30-ecm-2023-06-15T15:12:56.207037532Z stdout F 2023-06-15 15:12:56,206 [http-nio-8080-exec-3] DEBUG ldap.SaviyntGroovyLdapService - Checking for url = ldaps://10.102.XX.XX:636
2023-06-15T20:42:56+05:30-ecm-2023-06-15T15:12:56.283299286Z stdout F 2023-06-15 15:12:56,282 [http-nio-8080-exec-3] ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url
2023-06-15T20:42:56+05:30-ecm-2023-06-15T15:12:56.283330986Z stdout F javax.naming.CommunicationException: 10.102.XX.XX:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.102.XX.XX found]

Please suggest.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Diwakar,

Can you perform a successful Telnet connection to the AD server from the server where the SC2 client is installed? Additionally, please verify if port 636 is open.

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Hi sudesh,

We have already tested this and port is also opened. Please find the attached successfull connection test against the port.

Please suggest next.

Thanks.

sahajranajee
Saviynt Employee
Saviynt Employee

Hello,

I see that you have tried both IP and Hostname .

IP : Direct IP address will not work as the latest Saviynt versions use Java's latest platform standards of using Endpoint Identification. Endpoint Identification validates that the Hostname (IP here) being used to connect over LDAPS matches the SAN (Subject Alternative Name) provided in the certificate being used to establish the SSL connection. So, IP would only work if your certificate SAN has IP address in it.

2. Hostname : When using the hostname, if the hostname matches the SAN on the certificate, it will work. Currently,  i can see Unknown host error, which means that the hostname resolution is failing on Saviynt end. If you have DNS resolver setup, please validate that you are able to resolve the hostname on your end and then raise a Saviynt Support ticket with the hostname and IP address to resolve so it can be checked/setup on Saviynt end.

Regards,

Sahaj


Regards,
Sahaj Ranajee
Sr. Product Specialist

Diwakar
Regular Contributor
Regular Contributor

Thanks Sahaj for detailed info . I have reached out to Saviynt support and it worked.