Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

How to check/confirm communication between ADSI agent and AD host?

GauravJain
Regular Contributor
Regular Contributor

Hi 

As per ADSI connector documentation we need to confirm "that the ADSI agent can communicate with the server hosting Active Directory on an LDAP port. The default ports are 389 and 636."

But, how to do this? should we just use a telnet / curl command to check this connectivity OR there is more to it which is not mentioned in Saviynt documentation. 

Please help.

Regards

Gaurav

 

9 REPLIES 9

adriencosson
Valued Contributor
Valued Contributor

 Hi @GauravJain,

Are you using SC2.0 to connect to customer environment ? If yes, you can perform the below command to validate flow is opened with ADSI and agent is running : 

nmap -p <PORTS, usually 8090,443> <IP OR DNS> -Pn

Sample command : 

nmap -p 8090,443 saviyntadsiconnector.customerdc.net -Pn

This should return a "open" state if it has been correctly installed following the documentation.

Also, to make secure connection with ADSI, make sure to grab the ADSI machine certificate (signed by Group CA certificate) and import it into Saviynt, and add it to the connector.

Hope this helps !

Regards,
Adrien COSSON

Hi - thanks for quick revert.

Yes, we are using SC client (hosted in our environment) to connect to all target systems (AD in this case).

"nmap" command doesn't exist on our SC client host so is there any other way to test it?

secondly, you mentioned "make sure to grab the ADSI machine certificate (signed by Group CA certificate) and import it into Saviynt, and add it to the connector". So, do i need to use ADSI agent host name / ip address as CN to generate a certificate and later signed by Group CA? Is my understanding correct?

Regards

Gaurav

 

One more thing, in this command 

nmap -p <PORTS, usually 8090,443> <IP OR DNS> -Pn

which IP address / DNS one should use here? is it ADSI agent host DNS or something else?

You should use this command from your SC2 client and target the IP / DNS of the ADSI agent host.

Regards,
Adrien COSSON

rushikeshvartak
All-Star
All-Star

Using telnet

  1. Open a Command Prompt or Terminal on the machine where the ADSI agent is installed.
  2. Run the telnet command:
    • For port 389: telnet [ActiveDirectoryServer] 389
    • For port 636: telnet [ActiveDirectoryServer] 636
  3. Replace [ActiveDirectoryServer] with the hostname or IP address of your Active Directory server.
  4. Check the Response: If the connection is successful, the screen will clear, and you’ll get a blank cursor (indicating an open connection). If it fails, you’ll see a connection error message.

Using curl

  1. Open a Command Prompt or Terminal on the machine where the ADSI agent is installed.
  2. Run the curl command:
    • For port 389: curl ldap://[ActiveDirectoryServer]:389
    • For port 636: curl ldaps://[ActiveDirectoryServer]:636
  3. Replace [ActiveDirectoryServer] with the hostname or IP address of your Active Directory server.
  4. Check the Response: For port 389, you should get an LDAP response indicating that a connection was made. For port 636, if the server has a valid SSL/TLS certificate, you should also get a connection confirmation.

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Thanks @rushikeshvartak @adriencosson .

can you guys please revert on my other questions as well?

1)  @adriencosson mentioned "make sure to grab the ADSI machine certificate (signed by Group CA certificate) and import it into Saviynt, and add it to the connector". So, do i need to use ADSI agent host name / ip address as CN to generate a certificate and later signed by Group CA? Is my understanding correct?

2) Install the SSL certificate for this website - ADSIConnector

while creating a certificate request, do i need to mention my AD host name / IP address in CN (common name) because ADSI will internally connect to AD host for all the operations. can you please confirm this as well?

3) Even after installing latest ADSI agent from artifacts which is "2024.2.1.0", our ADSI logs are still printing 2023 version. what could be the issue? we have already restarted IIS service but no luck.

Regards

Gaurav

 

Hi @rushikeshvartak @adriencosson 

i have tried telnet command for connectivity between ADSI and AD server and its working fine.

can you please revert on my other pending questions to close this post?

Regards

GAurav

 

1) Generating and Using the Machine Certificate for ADSI

To generate a certificate for the ADSI agent host, you typically follow these steps:

  • Generate Certificate Request (CSR):

    • Use the ADSI agent host name (FQDN) as the Common Name (CN) in the CSR.
    • This ensures the certificate is correctly identified when it is signed and used.
  • Sign the Certificate:

    • Once the CSR is generated, it should be signed by your Group CA (Certificate Authority).
    • This ensures that the certificate is trusted within your organization.
  • Import and Configure in Saviynt:

    • Import the signed certificate into Saviynt.
    • Ensure that the certificate is added to the connector configuration in Saviynt.

2) Installing SSL Certificate for ADSI Connector

When creating a certificate request for the ADSI connector:

  • Common Name (CN):
    • Use the FQDN (Fully Qualified Domain Name) of your AD host as the Common Name (CN) in the certificate request.
    • This is important because the ADSI connector will internally connect to the AD host using this FQDN.

3) Updating ADSI Agent Version Issue

If the ADSI logs are still printing the 2023 version after installing the latest ADSI agent version (2024.2.1.0) and restarting the IIS service, there are a few things you can check:

  • Verify Installation: Double-check that the new version of the ADSI agent has been correctly installed on the server where it's running.
  • Configuration Check: Ensure that the ADSI agent is configured to use the correct version.
  • Restart Services: In addition to IIS, ensure that any ADSI-related services are also restarted.
  • Logs: Check the logs and configuration files of the ADSI agent to see if there are any errors or warnings that might indicate why it's still using the older version.

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

thanks @rushikeshvartak for your revert.

On point #3 - we have restarted both IIS service and ADSI agent. Also verified logs but no luck.

i think we will have to either reinstall ADSI agent or upgrade it,

Regards

Gaurav