Problem connecting to directory: Host {0}, Reason - {1} error when attempting to configure vIDM directory with domain name over ldaps
search cancel

Problem connecting to directory: Host {0}, Reason - {1} error when attempting to configure vIDM directory with domain name over ldaps

book

Article ID: 380179

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • A directory is attempting to be added over ldaps using the domain name not an individual domain controller address.
  • The root certificate for the domain does not contain the domain name domain.com as part of a subject alternative field property.
  • The same directory can be configured successfully with the FQDN of an individual domain controller hostname specified.
  • The ui displays the error:
    Problem connecting to directory: Host {0}, Reason - {1}
  • The /logs/connector-dir-sync.log logfile contains an 'No subject alternative DNS name matching' error similar to:

    2024-02-16T15:27:44,078 INFO  (Thread-) [;@;;] com.vmware.horizon.directory.ldap.util.TLSConnectionLogHelper - Class:com.vmware.horizon.directory.ldap.dc.service.context.SSLContextFetcher, Action:TLS_CONNECTION_FAILED, Message:TLS Connection Failed to host - (<IP>:636)
    2024-02-16T15:27:44,078 ERROR (Thread-) [;@;<IP>;] com.vmware.horizon.directory.ldap.dc.service.context.JNDIContextFetcher - Failed to connect to domain.com:636
    javax.naming.CommunicationException: simple bind failed: domain.com:636

    Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching domain.com found.

Environment

VMware Identity Manager 3.3.x

Cause

The failure occurs when vIDM attempts to validate the domain name against the certificate presented which fails when the the root certificate for the domain does not contain the domain name domain.com as part of a subject alternative field property

Resolution

To resolve the issue you need to recreate the domain root certificate with teh domain name added as a Subject Alternative Field Name(SAN) property.

Otherwise you can only configure the domain against an individual domain controller.