title: Connection Troubleshooting Guide category: Connections tags: troubleshooting, connection, ldap, network, errors, diagnostics priority: Normal
Connection Troubleshooting Guide
When a connection to Active Directory, Entra ID, or another directory source fails, this guide helps you diagnose the root cause and apply the correct fix. Work through the quick diagnostic checklist first, then find your specific error in the reference below.
Quick Diagnostic Checklist
Before diving into specific errors, verify these fundamentals:
| Check | How to Verify | Expected Result |
|---|---|---|
| 1. Network reachability | ping dc01.corp.local from the IdentityCenter server |
Replies received |
| 2. Port open | Test-NetConnection dc01.corp.local -Port 389 (PowerShell) |
TcpTestSucceeded: True |
| 3. DNS resolution | nslookup dc01.corp.local |
Resolves to correct IP |
| 4. Credentials valid | Try an LDAP bind with ldp.exe or another LDAP tool |
Bind succeeds |
| 5. Account not locked | Check AD Users & Computers for lockout status | Account is not locked |
| 6. Permissions sufficient | Verify service account can read target OUs | Objects are returned |
If all six checks pass and the connection still fails, look at the specific error message in the sections below.
Error Reference: Active Directory / LDAP
"The server is not operational"
Cause: The domain controller is unreachable from the IdentityCenter server.
Possible reasons:
- The domain controller is powered off or has crashed
- A firewall is blocking LDAP traffic (port 389 or 636)
- DNS is returning the wrong IP address for the DC hostname
- The DC hostname is misspelled in the connection settings
Fix:
- Ping the domain controller from the IdentityCenter server
- Test port connectivity:
Test-NetConnection dc01.corp.local -Port 389 - Verify DNS resolution:
nslookup dc01.corp.local - If using a hostname, try the IP address directly to rule out DNS issues
- Check Windows Firewall on the DC for blocked inbound LDAP rules
"Invalid credentials"
Cause: The username or password in the connection settings is incorrect.
Possible reasons:
- Password was changed but not updated in IdentityCenter
- Service account is locked out due to failed login attempts
- Username format is wrong (e.g., using
jsmithinstead ofCORP\jsmithorjsmith@corp.local)
Fix:
- Verify the password by logging into a domain-joined computer with the service account
- Check for account lockout in Active Directory Users and Computers
- Try different username formats:
| Format | Example | When to Use |
|---|---|---|
| UPN | svc_idsync@corp.local | Most common, works across domains |
| Down-level | CORP\svc_idsync | Legacy format, works with NTLM |
| DN | CN=svc_idsync,OU=Service Accounts,DC=corp,DC=local | Most explicit, always unambiguous |
"Unwilling to perform"
Cause: The directory server is refusing the requested operation.
Possible reasons:
- The server requires SSL/TLS but the connection is using plain LDAP
- The service account does not have permission for the requested operation
- LDAP signing or channel binding is required by Group Policy
Fix:
- If your domain requires LDAP signing (common after security hardening), switch to LDAPS (port 636) or enable LDAP signing in the connection settings
- Verify the service account has read permissions on the target OUs
- Check Group Policy:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain controller: LDAP server signing requirements
"A referral was returned from the server"
Cause: The LDAP query is reaching a domain controller that does not hold the requested data and is referring the client to another server.
Possible reasons:
- The Base DN in the connection settings points to a different domain than the DC you are connecting to
- You are querying a child domain's DC for objects in the parent domain
- The connection is targeting a domain controller, but needs the Global Catalog
Fix:
- Verify the Base DN matches the domain of the target DC
- If you need to query across domains in a forest, use the Global Catalog port (3268 or 3269)
- Set referral handling to Follow in the connection's advanced settings
"Size limit exceeded"
Cause: The LDAP query returned more results than the server allows in a single response.
Details: Active Directory has a default MaxPageSize of 1000 objects per page. IdentityCenter uses paged LDAP searches automatically, so this error is rare. If you see it:
Fix:
- Ensure you are using the latest version of IdentityCenter (paged search is automatic)
- If using a custom LDAP client for testing, enable paging
- Check if the AD administrator has reduced the MaxPageSize below 1000
"The LDAP server is unavailable"
Cause: The connection to the LDAP server was interrupted or could not be established.
Possible reasons:
- The domain controller service (NTDS) has stopped
- A network device (firewall, load balancer) is dropping the connection
- The LDAP port is not listening on the target server
- DNS is returning a stale or incorrect IP
Fix:
- Verify the DC is running: check
nltest /dsgetdc:corp.localfrom a domain-joined machine - Test from the IdentityCenter server:
Test-NetConnection dc01.corp.local -Port 389 - Check for network devices that might be terminating idle connections (increase idle timeout or use connection keep-alive)
"The supplied credential is invalid" (LDAPS)
Cause: LDAPS connection failed due to a certificate issue, but the error message is misleading.
Fix: See the LDAPS Certificate Troubleshooting section below.
Error Reference: Entra ID
"AADSTS7000215: Invalid client secret"
Cause: The client secret provided does not match or has expired.
Fix:
- Check the secret expiration date in Azure Portal > App registrations > Certificates & secrets
- If expired, create a new client secret and update the connection in IdentityCenter
- Ensure you copied the Value column (not the Secret ID)
"AADSTS700016: Application not found"
Cause: The Client ID does not match any app registration in the specified tenant.
Fix:
- Verify the Client ID matches the Application (client) ID in Azure Portal
- Confirm the Tenant ID is correct
- Ensure the app registration has not been deleted
"Insufficient privileges to complete the operation"
Cause: The app registration does not have the required Graph API permissions, or admin consent has not been granted.
Fix:
- Go to Azure Portal > App registrations > your app > API permissions
- Verify that
User.Read.All,Group.Read.All, andDirectory.Read.Allare listed - Ensure the Status column shows "Granted for [tenant]" (green check)
- If not, click Grant admin consent
LDAPS Certificate Troubleshooting
If you are using LDAPS (port 636), certificate issues are a common source of failures.
Common Certificate Problems
| Problem | Symptom | Fix |
|---|---|---|
| Expired certificate | Connection fails immediately | Renew the DC's server authentication certificate |
| Untrusted CA | "The remote certificate is invalid" | Install the CA root certificate on the IdentityCenter server |
| CN mismatch | Certificate validation fails | Ensure the certificate CN or SAN matches the DC hostname used in the connection |
| Self-signed certificate | Trust chain validation fails | Import the self-signed cert into the IdentityCenter server's Trusted Root store |
Verifying the DC Certificate
From the IdentityCenter server (PowerShell):
$tcpClient = New-Object System.Net.Sockets.TcpClient("dc01.corp.local", 636)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false)
$sslStream.AuthenticateAsClient("dc01.corp.local")
$cert = $sslStream.RemoteCertificate
Write-Host "Subject: $($cert.Subject)"
Write-Host "Issuer: $($cert.Issuer)"
Write-Host "Expires: $($cert.GetExpirationDateString())"
$sslStream.Close()
$tcpClient.Close()
Installing a Trusted Root CA
If the domain controller's certificate is issued by an internal CA that the IdentityCenter server does not trust:
- Export the root CA certificate from your certificate authority
- On the IdentityCenter server, open
certlm.msc(Local Computer certificates) - Navigate to Trusted Root Certification Authorities > Certificates
- Right-click > All Tasks > Import and select the CA certificate
- Restart the IdentityCenter service
Testing Connectivity from Command Line
LDAP Test with PowerShell
# Test basic LDAP connectivity
$ldap = New-Object System.DirectoryServices.DirectoryEntry(
"LDAP://dc01.corp.local:389/DC=corp,DC=local",
"svc_idsync@corp.local",
"YourPasswordHere"
)
$searcher = New-Object System.DirectoryServices.DirectorySearcher($ldap)
$searcher.Filter = "(objectClass=user)"
$searcher.PageSize = 10
$results = $searcher.FindAll()
Write-Host "Found $($results.Count) users"
Port Test with PowerShell
# Test multiple ports at once
$ports = @(389, 636, 3268, 3269)
foreach ($port in $ports) {
$result = Test-NetConnection dc01.corp.local -Port $port -WarningAction SilentlyContinue
Write-Host "Port $port : $($result.TcpTestSucceeded)"
}
When to Involve Your Network Team
Escalate to your network team if:
- Port tests fail between the IdentityCenter server and the domain controller
- Connections work intermittently (may indicate a flapping firewall rule or load balancer issue)
- LDAPS certificate issues persist after installing the CA certificate (may need network inspection/decryption device configuration)
- Connections work from one server but not another on the same network (routing or VLAN issue)
- Queries timeout consistently despite the DC being reachable (may indicate packet inspection or deep packet inspection interfering with LDAP traffic)
Viewing Connection Test Logs
IdentityCenter records connection test results for diagnostic purposes:
- Navigate to Administration > Connections
- Click on the failing connection
- Click Test Connection
- Expand the Details section to see step-by-step results including error messages, stack traces, and timing
Next Steps
- Creating a Connection -- Review your connection settings
- Connecting to Entra ID -- Entra ID-specific setup steps
- Multi-Forest Setup -- Cross-forest connectivity requirements
- Sync Troubleshooting -- When connections work but sync fails
- System Requirements -- Verify port and network requirements