User Synchronization failed when importing AD Logins

book

Article ID: 220585

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Unable to login with accounts within the AD User group. We have to manually add accounts to allow login, instead of managing via AD groups. 

 

Cause

SEVERE [com.vontu.enforce.domainlayer.datauser.source.DataUserSyncTask] User Synchronization failed:
Cause:
org.springframework.ldap.PartialResultException: 
 nested exception is javax.naming.PartialResultException 
  [Root exception is javax.naming.CommunicationException: 
   simple bind failed: DomainDnsZones.rb.win.frb.org:636 
    [Root exception is javax.net.ssl.SSLHandshakeException: 
     java.security.cert.CertificateException: 
      No subject alternative DNS name matching DomainDnsZones.<domainName> found.]]

Taken from the DLP Install Guide

The latest JRE improves LDAP security. However, the improved security may cause the SSL connection to Microsoft
Active Directory to fail. If this occurs, add the following key to your SymantecDLPManager.conf file, then restart the
Enforce Server:
wrapper.java.additional.30 =
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

If this setting is disabled, and secure LDAP is required for User Indexing, the index will fail.

 

Environment

Release : 15.8

Component : Enforce

Resolution

The solution is to enable com.sun.jndi.ldap.object.disableEndpointIdentification=true in SymantecDLPManager.conf file, then restart the
Enforce Server service.