SEPM upgrade failed due to the AD certificate validation
Article ID: 260779
Updated On:
Products
Endpoint Protection
Issue/Introduction
During SEPM server upgrade you receive a message "Error occurred" while progress bar shows around 65%.
Followed by the below message:
Environment
Seen with upgrade to 14.3 RU6.
Cause
The issue can be identified in the upgrade-0.log. The below records show issue with the directory validation. Note, that the name of the directory host is visible, hence it can be pinpointed to the specific server in case of using many.
2023-02-08 14:09:08.516 THREAD 28 INFO: isCertValid: domain.name
2023-02-08 14:09:08.523 THREAD 28 FINE: LdapUtils>> login: logging into AD...
2023-02-08 14:09:08.535 THREAD 28 FINE: LdapRootDSE>> init_internal: Retrieving RootDSE in LDAPS://server.name:636/, ssl=true...
2023-02-08 14:09:08.536 THREAD 28 FINE: LdapUtils>> connect: Setting the properties...
2023-02-08 14:09:08.536 THREAD 28 INFO: LdapUtils>> connect: Connecting...
2023-02-08 14:09:16.766 THREAD 28 WARNING: LdapUtils>> connect: Exception... Duration: 8.228s (8228.0ms)
2023-02-08 14:09:16.771 THREAD 28 WARNING: javax.naming.CommunicationException: server.name:636 [Root exception is java.net.UnknownHostException: server.name]
at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:252)
at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2847)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:262)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:226)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:280)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:185)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:115)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.sygate.scm.server.util.ldap.LdapUtils.connect(LdapUtils.java:348)
at com.sygate.scm.server.util.ldap.LdapUtils.connect(LdapUtils.java:314)
at com.sygate.scm.server.util.ldap.LdapUtils.connectWithAnonymousLoginWithSSL(LdapUtils.java:143)
at com.sygate.scm.server.util.ldap.LdapRootDSE.initInternal(LdapRootDSE.java:119)
at com.sygate.scm.server.util.ldap.LdapRootDSE.init(LdapRootDSE.java:102)
at com.sygate.scm.server.util.ldap.LdapUtils.connectWithSimpleLoginForAD(LdapUtils.java:231)
at com.sygate.scm.server.util.ldap.LdapUtils.connectWithSimpleLoginForADWithSSL(LdapUtils.java:192)
at com.sygate.scm.server.util.ldap.LdapManager.loginAd(LdapManager.java:580)
at com.sygate.scm.server.util.ldap.LdapManager.login(LdapManager.java:485)
at com.sygate.scm.server.util.ldap.LdapManager.login(LdapManager.java:472)
at com.sygate.scm.server.util.ldap.LdapManager.doTestConnection(LdapManager.java:406)
at com.sygate.scm.server.util.NativeCall.testLdapServerConnection(NativeCall.java:308)
at com.sygate.scm.server.upgrade.Schema143RU5To143RU6.isCertValid(Schema143RU5To143RU6.java:158)
at com.sygate.scm.server.upgrade.Schema143RU5To143RU6.validateDirectoryCerts(Schema143RU5To143RU6.java:93)
at com.sygate.scm.server.upgrade.Schema143RU5To143RU6.upgrade(Schema143RU5To143RU6.java:68)
at com.sygate.scm.server.upgrade.SchemaUpgrade.execute(SchemaUpgrade.java:125)
at com.sygate.scm.server.upgrade.Upgrade.upgradeDBSchemaVersionByVersion(Upgrade.java:1576)
at com.sygate.scm.server.upgrade.Upgrade.doUpgrade(Upgrade.java:705)
at com.sygate.scm.server.upgrade.ui.UpgradeTask.go(UpgradeTask.java:156)
at com.sygate.scm.server.upgrade.ui.UpgradeProgressPanel$2.construct(UpgradeProgressPanel.java:249)
at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:147)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.net.UnknownHostException: server.name
at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:229)
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.base/java.net.Socket.connect(Socket.java:609)
at java.base/sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:305)
at java.base/sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:164)
at java.base/sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:88)
at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:321)
at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:231)
... 35 more
2023-02-08 14:09:16.771 THREAD 28 WARNING: LdapRootDSE>> init_internal: Exception during connection...
2023-02-08 14:09:16.771 THREAD 28 WARNING: LdapRootDSE>> init_internal: Error-> failed to retrieve RootDSE in LDAPS://server.name:636/, ssl=true!
2023-02-08 14:09:16.771 THREAD 28 WARNING: LdapUtils>> connectWithSimpleLoginForAD: Error-> failed to retrieve RootDSE from url=LDAPS://server.name:636!
2023-02-08 14:09:16.772 THREAD 28 WARNING: NativeCall>> testLdapServerConnection: Connection Error!
2023-02-08 14:09:16.772 THREAD 28 WARNING: NativeCall>> testLdapServerConnection: error code=20
2023-02-08 14:09:16.772 THREAD 28 WARNING: NativeCall>> testLdapServerConnection: error msg=AD Server may be down! [path=LDAPS://server.name, user=user.name]
2023-02-08 14:09:16.772 THREAD 28 WARNING: isCertValid: test directory server failed:server.nameResolution
After encountering such issue, perform two actions:
1. Verify the certificate of directory server imported to your SEPM server. For details, see:
2. Under Admin > Servers > Edit the server properties > Directory Servers verify added directories. If any already decommissioned or unused directory server is still on the list, remove it.
Retry the upgrade.
Feedback
Yes
No
Powered by
