Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error in AD connection

saramohanraj
New Contributor
New Contributor

‎06/07/2023 11:41 PM

Hi, WE are facing issue in AD connection all of a sudden. The error is related to certificate issue. But the certificate is not expired and it was recently updated and it was all working fine till friday without any issues.

We were facing issues in both TEST and DEV environment. In test env it started working again after updating the AD connection url with FQDN instead of IP as suggested by Wintel team. But when we do the same in DEV, it is not working. We are getting the below error. And Wintel team is asking for the java version of ssm. 

2023-06-08/04:07:40.547 [{}] [https-jsse-nio-443-exec-21] ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url
javax.naming.CommunicationException: simple bind failed: XPERDCS12.dev.woodside.com.au:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.saviynt.ldap.SaviyntGroovyLdapService.getConnection(SaviyntGroovyLdapService.groovy:3760)
at com.saviynt.ldap.SaviyntGroovyLdapService.testADConnection(SaviyntGroovyLdapService.groovy:5033)
at com.saviynt.ecm.integration.ExternalConnectionCallService.testExternalConnection(ExternalConnectionCallService.groovy:421)
at com.saviynt.ecm.utility.domain.EcmConfigController$_closure21.doCall(EcmConfigController.groovy:780)
at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
at com.saviynt.webservice.SaviyntRestAuthenticationFilter.doFilter(SaviyntRestAuthenticationFilter.groovy:145)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62)
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59)
at com.mrhaki.grails.plugin.xframeoptions.web.XFrameOptionsFilter.doFilterInternal(XFrameOptionsFilter.java:69)
at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:441)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:414)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 23 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
... 29 more
2023-06-08/04:07:40.55

Any help on this would be greatful. Please let us know ASAP. Looping @SB @Sivagami @davindersingh @rushikeshvartak for immediate assistance.

Labels:
0 Kudos
3 REPLIES 3

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎06/08/2023 12:20 AM

Hello @saramohanraj,

It is recommended to use the Fully Qualified Domain Name (FQDN) instead of the IP address. This provides more flexibility and makes maintenance easier, especially when there are changes to the underlying infrastructure.

To use a fully qualified hostname, you need to set up a DNS resolver, which is typically done by the Saviynt Infrastructure team. If you need further assistance, you can contact the Saviynt Support team by raising a Freshdesk ticket.

So if IP address was working before then most probably there could have been a local host entry mapping the IP with SAN name present in certificate. This is not a recommended approach as the local host file can get overwritten-based system refresh.

Never use an IP address in any environment. In case the FQDN resolution is failing then open a support ticket to configure DNS forwarding so that FQDN resolution can work based on the customer's DNS server.

The error message you encountered, "No subject alternative names matching IP address 'xyz' found," suggests that the system was trying to validate the SSL certificate for the connection but couldn't find a matching Subject Alternative Name (SAN) for the provided IP address. Using the FQDN instead of the IP address can often resolve this issue.

If the connections are working in other Saviynt environments but failing in a lower environment, it would be helpful to compare the configuration and validate the certificate and versions between the working and non-working environments to identify any differences.

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

saramohanraj
New Contributor
New Contributor

‎06/08/2023 12:25 AM

Hi @sudeshjaiswal,

 

We are using FQDN only now as it was failing with IP address. But FQDN fixed the issue in TEST env but not in DEV env.

Should we raise a support ticket to saviynt to compare the configs between these 2 env?

0 Kudos

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎06/08/2023 12:50 AM

Hello @saramohanraj,

Was there any change/upgrade that happened in the Dev Environment?
Sure, you can raise the FD ticket.

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos
Copyright © 2024 Khoros, LLC