在 AD Production / AD Stage 和 AD Test 中运行 TEST Connection 时显示以下错误。
ou=someusers、ou=anOU、dc=more、dc=morestuff、dc=stuff 的用户服务器:服务器无法运行。 。 HRESULT:.(0x8007203AJ”,“无法连接到 ou=someusers、ou=anOUusers、dc=more、dc=more、dc=stuff 的服务器:服务器无法运行。.HRESULT:[0x8007203A)”[ InvalidConfigurationException ] [可能的建议] 确保: a) SearchDN 有效。 b) 用户处于活动状态。 c) 用户未被锁定。 d) 如果启用了域配置 TLS,则域证书可在 IQService 计算机上的受信任根文件夹中使用。 [错误详情]
IQService 安装在与域控制器位于同一网络的 Windows 服务器上。我们在 IQService 中打开了 TLS,并查看 Wireshark 捕获;错误再次出现之前似乎有一个暂停(大约 15-20 秒)。窗口服务器是2019,运行级别是2012R2。 Identity IQ 版本:8.2p1。我们已经关闭了域控制器(除了主域控制器之外的所有域控制器),只有一个域控制器(在较低的环境中),以确保集群不会出现问题。服务器负载似乎并不重;我们检查了使用率,它一直很低(使用率、内存和 CPU 都低于 80%)。 IQService 服务器也没有被淹没,因为它可能每隔几个小时就会收到一个请求。我们强调了较低的环境,以尝试捕获更多问题,并以大约每分钟一个的速度发出(测试请求)。这些测试请求不是写请求,只是读请求。 (作为注释,我们在书面中也看到了这一点)。关于要测试的内容以及如何运行这些测试的想法?
我可以验证:
提出的一个想法是 IQService 和域控制器之间的临时端口 (1024-65535) 可能存在问题。关于测试和验证该理论的方法有什么建议吗?谢谢!!
更新:
已使用以下命令打开经过验证的端口:
netsh int ipv4 set dynamicport tcp start=1024 num=64511
netsh int ipv4 show dynamicport TCP
更新:添加部分application.xml
<entry key="domainSettings">
<value>
<List>
<Map>
<entry key="authenticationType" value="simple"/>
<entry key="authorizationType" value="simple"/>
<entry key="domainDN" value="%%AD_DOMAIN_DN%%"/>
<entry key="domainIterateSearchFilter"/>
<entry key="domainNetBiosName"/>
<entry key="forestName" value="%%AD_FOREST%%"/>
<entry key="password" value="%%AD_PASSWORD%%"/>
<entry key="port" value="636"/>
<entry key="servers">
<value>
<List>
<String>%%AD_DOMAIN_SERVER%%</String>
</List>
</value>
</entry>
<entry key="useSSL">
<value>
<Boolean>%%AD_IQSERVICE_TLS%%</Boolean>
</value>
</entry>
<entry key="user" value="%%AD_USER%%"/>
</Map>
</List>
</value>
</entry>
来自 IQService 的一些附加日志:
03/04/2022 11:40:19 : RpcHandler [ Thread-11 ] DEBUG : "Initiating the serviceState for 122"
03/04/2022 11:40:19 : RpcHandler [ Thread-11 ] INFO : "Calling Service [ADConnector] and method[testConfiguration] "
03/04/2022 11:40:19 : Impersonator [ Thread-11 ] DEBUG : "Authenticating as User [svcAccount] domain [dom]"
03/04/2022 11:40:19 : Impersonator [ Thread-11 ] DEBUG : "User [svcAccount] domain [dom] -> Authenticated"
03/04/2022 11:40:19 : AbstractConnector [ Thread-11 ] DEBUG : "ENTER AbstractConnector"
03/04/2022 11:40:19 : AbstractConnector [ Thread-11 ] DEBUG : "EXIT AbstractConnector"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER prepare"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT prepare"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER testConfiguration"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=users,ou=tii,dc=dom,dc=foo,dc=test]"
03/04/2022 11:40:19 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=users,ou=tii,dc=dom,dc=foo,dc=test] original [ou=users,ou=tii,dc=dom,dc=foo,dc=test]"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=users,ou=tii,dc=dom,dc=foo,dc=test, [email protected] authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "Failed to connect to the URL : LDAP://server.dom.foo.test/ou=users,ou=tii,dc=dom,dc=foo,dc=test : The server is not operational.
"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] ERROR : "Caught exception in testConfigurationSystem.Exception: Failed to connect to the server for ou=users,ou=tii,dc=dom,dc=foo,dc=test:The server is not operational. . HRESULT:[0x8007203A]
at sailpoint.services.ADConnectorServices.bind(String distinguishedName, Boolean isCrossForest, Boolean isCrossDomain, String serverToBind, Boolean isCrossDomainMove, Boolean bindForShadow)
at sailpoint.services.ADConnectorServices.doTestConfiguration(Hashtable registry)"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:40:49 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test] original [ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test, [email protected] authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "Failed to connect to the URL : LDAP://server.dom.foo.test/ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test : The server is not operational.
"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] ERROR : "Caught exception in testConfigurationSystem.Exception: Failed to connect to the server for ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test:The server is not operational. . HRESULT:[0x8007203A]
at sailpoint.services.ADConnectorServices.bind(String distinguishedName, Boolean isCrossForest, Boolean isCrossDomain, String serverToBind, Boolean isCrossDomainMove, Boolean bindForShadow)
at sailpoint.services.ADConnectorServices.doTestConfiguration(Hashtable registry)"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=users,ou=coo,dc=dom,dc=foo,dc=test]"
03/04/2022 11:41:19 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=users,ou=coo,dc=dom,dc=foo,dc=test] original [ou=users,ou=coo,dc=dom,dc=foo,dc=test]"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=users,ou=coo,dc=dom,dc=foo,dc=test, [email protected] authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "Failed to connect to the URL : LDAP://server.dom.foo.test/ou=users,ou=coo,dc=dom,dc=foo,dc=test : The server is not operational.
"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] ERROR : "Caught exception in testConfigurationSystem.Exception: Failed to connect to the server for ou=users,ou=coo,dc=dom,dc=foo,dc=test:The server is not operational. . HRESULT:[0x8007203A]
at sailpoint.services.ADConnectorServices.bind(String distinguishedName, Boolean isCrossForest, Boolean isCrossDomain, String serverToBind, Boolean isCrossDomainMove, Boolean bindForShadow)
at sailpoint.services.ADConnectorServices.doTestConfiguration(Hashtable registry)"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=boo,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:41:49 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=boo,ou=dom users,dc=dom,dc=foo,dc=test] original [ou=boo,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=boo,ou=dom users,dc=dom,dc=foo,dc=test, [email protected] authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT bind"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] INFO : "Bind to ou=boo,ou=dom users,dc=dom,dc=foo,dc=test is Successful"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "Parent Container is: LDAP://server.dom.foo.test/ou=dom users,dc=dom,dc=foo,dc=test"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=joo,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:42:04 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=joo,ou=dom users,dc=dom,dc=foo,dc=test] original [ou=joo,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=joo,ou=dom users,dc=dom,dc=foo,dc=test, [email protected] authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT bind"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] INFO : "Bind to ou=joo,ou=dom users,dc=dom,dc=foo,dc=test is Successful"
• 您遇到此错误是因为 ‘Application.xml’ 文件不包含通过 IQ 服务连接器连接到 AD 服务器的正确配置。 “application.xml”文件应包含包含以下格式的 DC 服务器详细信息的配置。
现有‘application.xml’配置可能如下:-
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=example,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”/>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”EXAMPLE\Administrator”/>
</Map>
</List>
</value>
</entry>
新“application.xml”配置应如下所示:-
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=example,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”>
<value>
<List>
<String>172.16.153.185</String>
</List>
</value>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”EXAMPLE\Administrator”/>
</Map>
</List>
</value>
</entry>
• 通过进行上述更改,您的 IQ 服务应该能够“测试” 连接到您在“application.xml”文件中指定的域控制器 IP。除此之外,还要确保从成员服务器到域控制器的 sailpoint IQ 服务 所需的端口正确打开,并且内部 AD 复制端口也打开,如下所述:-
TCP UDP 135、137、138、139、445、389、636、3268、3269、88、53、1512、42、49152-65535。这些端口与 AD 相关的各种服务相关联,即 RPC 端点映射器、DNS、WINS 解析、复制、RPC 动态端口等。