title: Troubleshooting Connection Issues category: Troubleshooting tags: troubleshooting, connection, ldap, network, firewall, certificate priority: Normal

Troubleshooting Connection Issues

This guide covers diagnosing and resolving connection problems between IdentityCenter and your directory services. Connection issues typically fall into four categories: network, certificates, credentials, and permissions.

Network Issues

Firewall Blocking LDAP Ports

IdentityCenter requires access to specific ports on your domain controllers:

Test port connectivity from the IdentityCenter server:

# Test LDAP port
Test-NetConnection -ComputerName dc01.corp.local -Port 389

# Test LDAPS port
Test-NetConnection -ComputerName dc01.corp.local -Port 636

# Test Global Catalog
Test-NetConnection -ComputerName dc01.corp.local -Port 3268

If the test returns TcpTestSucceeded: False, work with your network team to open the required port.

DNS Resolution Failure

Symptoms:

• "The server is not operational" error
• "Cannot resolve hostname" error

Diagnostic Steps:

# Test DNS resolution
Resolve-DnsName dc01.corp.local

# Test SRV record resolution for the domain
Resolve-DnsName -Name _ldap._tcp.corp.local -Type SRV

# Verify DNS server configuration
Get-DnsClientServerAddress

Solutions:

1. Ensure the IdentityCenter server's DNS settings point to a DNS server that can resolve your AD domain
2. If using a non-domain-joined server, add a conditional forwarder or configure the DNS suffix search list
3. Test using the IP address directly to confirm whether the issue is DNS-specific

Domain Controller Unreachable

Symptoms:

• Connection test times out
• "The LDAP server is unavailable" error

Solutions:

1. Verify the domain controller is online and healthy: dcdiag /s:dc01.corp.local
2. Check for network routing issues between the IdentityCenter server and the domain controller
3. Ensure no VPN or network segmentation is blocking traffic
4. Try connecting to an alternative domain controller in the same domain

Certificate Errors

Expired SSL Certificate

Symptoms:

• "The remote certificate has expired" error when using LDAPS (port 636)

Solutions:

1. Check the certificate expiration on the domain controller:

   # View LDAPS certificate details
   $conn = New-Object System.DirectoryServices.Protocols.LdapConnection("dc01.corp.local:636")
   $conn.SessionOptions.SecureSocketLayer = $true
   $conn.SessionOptions.VerifyServerCertificate = {
       param($connection, $certificate)
       Write-Host "Subject: $($certificate.Subject)"
       Write-Host "Expires: $($certificate.GetExpirationDateString())"
       return $true
   }
   $conn.Bind()
   

2. Renew the certificate on the domain controller through your enterprise CA or certificate provider

3. If auto-enrollment is configured, force a certificate refresh: certutil -pulse

Untrusted CA for LDAPS

Symptoms:

• "The remote certificate is invalid according to the validation procedure"
• Certificate is valid but issued by an internal CA

Solutions:

1. Import the CA certificate into the Trusted Root Certification Authorities store on the IdentityCenter server:

   # Import root CA certificate
   Import-Certificate -FilePath "C:\Certs\RootCA.cer" `
     -CertStoreLocation Cert:\LocalMachine\Root
   

2. If using an intermediate CA, import the full certificate chain

3. Verify the import:

   Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "*YourCA*" }
   

Certificate Name Mismatch

Symptoms:

• "The remote certificate name does not match the hostname"

Solutions:

1. The hostname used in the connection must match the certificate's Subject or Subject Alternative Name (SAN)
2. Use the FQDN of the domain controller, not an IP address or short name
3. Check the certificate's SAN entries:

   $cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*dc01*" }
   $cert.Extensions | Where-Object { $_.Oid.FriendlyName -eq "Subject Alternative Name" } |
     ForEach-Object { $_.Format($true) }
   

Credential Problems

Username Format

IdentityCenter supports multiple username formats. Use the one that works for your environment:

Tip: If one format fails, try another. UPN format (user@domain.com) is the most reliable across different configurations.

Password Expired or Account Locked

Symptoms:

• "Invalid credentials" error even though username and password appear correct
• Connection worked previously but stopped

Diagnostic Steps:

# Check account status
Get-ADUser -Identity svc-identity -Properties LockedOut, PasswordExpired, Enabled

# Check lockout details
Get-ADUser -Identity svc-identity -Properties LockedOut, lockoutTime, badPwdCount

Solutions:

1. Password expired -- Reset the password and update it in IdentityCenter's connection settings
2. Account locked -- Unlock the account: Unlock-ADAccount -Identity svc-identity
3. Account disabled -- Re-enable: Enable-ADAccount -Identity svc-identity
4. Set the service account password to never expire (recommended for service accounts)

Insufficient Permissions

The service account needs specific directory permissions to function correctly:

To verify permissions:

1. Open Active Directory Users and Computers
2. Enable View > Advanced Features
3. Right-click the target OU and select Properties > Security
4. Verify the service account or its group has Read permissions

Connection Test Failures: Step-by-Step Debugging

When the connection test fails, follow this sequence:

1. Verify network connectivity

   Test-NetConnection -ComputerName dc01.corp.local -Port 389
   

2. Verify DNS resolution

   Resolve-DnsName dc01.corp.local
   

3. Test LDAP bind from the server

   $cred = Get-Credential
   $ldap = New-Object System.DirectoryServices.DirectoryEntry(
     "LDAP://dc01.corp.local", $cred.UserName, $cred.GetNetworkCredential().Password)
   $ldap.Name  # Should return the domain name if successful
   

4. Test with a simple LDAP search

   $searcher = New-Object System.DirectoryServices.DirectorySearcher($ldap)
   $searcher.Filter = "(objectClass=domain)"
   $searcher.FindOne()
   

5. Check the IdentityCenter application logs at /admin/logging for the detailed error message from the failed test

Multi-Forest Issues

Trust Relationships

When connecting to a domain in a separate forest:

1. Verify a forest or external trust exists between the forests
2. Ensure the trust is bidirectional or that the direction allows the IdentityCenter service account to authenticate
3. Validate the trust:

   Get-ADTrust -Filter * | Select-Object Name, Direction, ForestTransitive
   

DNS Forwarding

For cross-forest name resolution:

1. Configure conditional DNS forwarders for each remote forest's DNS zone
2. Verify resolution works:

   Resolve-DnsName dc01.partner.local
   

3. If conditional forwarders are not an option, use stub zones or secondary zones

Cross-Forest Connection Configuration

1. Create a separate connection in IdentityCenter for each forest
2. Use the FQDN of a domain controller in the remote forest
3. Provide credentials for an account that has read access in the remote forest
4. Test the connection before creating sync projects

Testing Connectivity from the Server

PowerShell Commands

# Comprehensive connectivity test
$server = "dc01.corp.local"

Write-Host "1. DNS Resolution..."
Resolve-DnsName $server

Write-Host "2. LDAP Port (389)..."
Test-NetConnection $server -Port 389

Write-Host "3. LDAPS Port (636)..."
Test-NetConnection $server -Port 636

Write-Host "4. LDAP Bind Test..."
$entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$server")
if ($entry.Name) { Write-Host "Bind successful: $($entry.Name)" }

Using ldp.exe (Built into Windows)

1. Open ldp.exe (available on servers with AD tools installed)
2. Select Connection > Connect and enter the server name and port
3. Select Connection > Bind and enter credentials
4. Select View > Tree and enter the Base DN to browse the directory
5. If ldp.exe connects successfully but IdentityCenter does not, the issue is likely in the application configuration

Logs to Check

Next Steps

• Common Issues & Solutions
• Troubleshooting Sync Errors
• Performance Tuning
• Log Analysis & Diagnostics
• Connection Configuration