Skip to main content

Functional Account test password is failing and so we are recieving the below error. Can anyone please help on this.

 

Verify Managed Account on Active Directory system: Domain=UGNX.local, PreferredController=, UseSsl=True, EnforceCertificateValidation=True, Account=(AccountName=s_pr, DistinguishedName=, SamAccountName=s_pr, UserPrincipalName=s_pr@ugnx.local, DomainName=UGNX.local, Privilege=, SID=S-1-5-21-2902959944-561351360-3437842006-37045, DisableAtRest=False) FunctionalAccount=(AccountName=srv_BT_Win_FA, DistinguishedName=srv_BT_Win_FA, SamAccountName=srv_BT_Win_FA, UserPrincipalName=srv_BT_Win_FA@ugnx.local, DomainName=UGNX.local, Privilege=, SID=, DisableAtRest=False) Querying managed account attributes... Search attributes for SID=S-1-5-21-2902959944-561351360-3437842006-37045 ValidateActiveDirectoryCredentials - domain: 'UGNX.local'; username: 's_pr'; useSsl: 'True'; domainController: 'UGNX.local'. Ignore Errors=False, Trust First Certificate=False Subject=CN=UGX1ADDC11N01.UGNX.local Host=UGNX.local Port=636 Thumbprint=7A47C1B860C8058ACCC12B55CCDA40D8BD9E461A Validity=False Certificate presented by the LDAP server was not valid. Enable Debug logs for more details. The revocation function was unable to check revocation for the certificate. The revocation function was unable to check revocation because the revocation server was offline. VerifyServerCertificate callback returned=False Errorr8] - code: 81, error: The LDAP server is unavailable. -> retrying with user name 's_pr'. ValidateActiveDirectoryCredentials - domain: 'UGNX.local'; username: 's_pr'; useSsl: 'True'; domainController: ''. Ignore Errors=False, Trust First Certificate=False Subject=CN=UGX1ADDC11N01.UGNX.local Host=UGNX.local Port=636 Thumbprint=7A47C1B860C8058ACCC12B55CCDA40D8BD9E461A Validity=False Certificate presented by the LDAP server was not valid. Enable Debug logs for more details. The revocation function was unable to check revocation for the certificate. The revocation function was unable to check revocation because the revocation server was offline. VerifyServerCertificate callback returned=False Errorr9] - code: 81, error: The LDAP server is unavailable. . Errorr11]: System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException: The LDAP server is unavailable. at PasswordSafe.PlatformPlugin.ActiveDirectory.Services.VerificationService.ValidateActiveDirectoryCredentials(ILogger log, String domainController, String domain, String username, String password, Boolean useSsl, Boolean enforceSslCertificateValidation) at PasswordSafe.PlatformPlugin.ActiveDirectory.Services.VerificationService.ValidateActiveDirectoryCredentials(ILogger log, String domainController, String domain, String username, String password, Boolean useSsl, Boolean enforceSslCertificateValidation) at PasswordSafe.PlatformPlugin.ActiveDirectory.Services.VerificationService.VerifyManagedAccount(PluginActionResult result, ILogger logger, String preferredDomainController, Boolean useSSL, Boolean enforceSslCertificateValidation, AccountParameter managedAccount, String passwordMA, AccountParameter functionalAccount, String passwordFA) Account verification failed Plugin: Name=Active Directory, Id=25DE9C14-C9CF-43F8-BB94-99AD6323EF87, Version=3.8.1.0, Publisher=BeyondTrust

 

Hello,

The error indicates your CRL server cannot be contacted. 

“ The revocation function was unable to check revocation because the revocation server was offline.”

Have a look at this kb on the error.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021411

Yes, we have checked this but still we are facing the same port connectivity issue

It could be an issue with the LDAPS certificate. Also make sure the CRL distribution point is published as an “http” and not a “https” url. 

For Password Safe cloud configuration do we need the LDAP Certificate?. If yes, can you please guide me how to configure the certificate with any KB article or the instructions to be followed.

I have found this Microsoft KB on troubleshooting LDAP over SSL that may help you.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ldap-over-ssl-connection-issues

 

 

Thank you for sharing this.

Anything needs to be configured on  Beyond Trust Password Safe cloud for the LDAP certificate?

The only certificate validation setting to configure are Configuration > System >  Site and the options on the Certificate Validation section. 

And your resource brokers need to trust your ldaps certificate.

ok thank you for the update. We shall look into this.

Reply


Badge Earners

  • BCIE: Privileged Remote Access
    Bruceyhas earned the badge BCIE: Privileged Remote Access
  • BCIE: Remote Support
    Bruceyhas earned the badge BCIE: Remote Support
  • BCA: Privileged Remote Access
    linehas earned the badge BCA: Privileged Remote Access
  • BCA: Password Safe
    linehas earned the badge BCA: Password Safe
  • BCA: Password Safe
    MedBouhas earned the badge BCA: Password Safe
Show all badges
Terms & ConditionsCookie settings