间歇性:服务器无法运行
间歇性:服务器无法运行
提问于 2022-03-07 19:59:01
在AD生产/ AD阶段和AD测试阶段运行测试连接时,会出现以下错误。
ou=someusers、ou=anOU、dc=more、dc=morestuff、dc=stuff的用户服务器:服务器无法操作。。HRESULT:(0x8007203AJ“,”未能连接到ou=someusers、ou=anOUusers、dc=more、dc=more、dc=stuff的服务器:服务器无法操作。。[0x8007203A]“InvalidConfigurationException确保: a) SearchDN是有效的。b)用户处于活动状态。c)用户未被锁定。( d)如果启用了域配置TLS,则域证书可在IQService计算机上的受信任根文件夹中使用。错误详细信息
IQService安装在与域控制器相同的网络上的windows服务器上。我们在IQService中打开了TLS,并查看了Wireshark捕获;在错误返回之前似乎有一个暂停(大约15-20秒)。窗口服务器为2019年,操作级别为2012R2。身份智商是版本: 8.2p1。我们关闭了域控制器(除了主控制器),使其只有一个域控制器(在较低的环境中)--以确保集群没有问题。服务器上似乎没有很大的负载;我们已经检查了使用情况,而且它一直很低(不足80%的使用量、内存和CPU)。IQService服务器也没有被淹没,因为它可能每隔几个小时就会看到一个请求。我们强调了较低的环境,试图捕获更多的问题,并提出(测试请求)大约一分钟。这些测试请求不是写请求,而是读请求。(作为一个注释,我们也在写作中看到了这一点)。关于要测试的东西以及如何运行这些测试的想法?
我可以证实:
- SearchDN是有效的(如果有三对眼睛验证,我假设可能有一个空白字符等等,我会再次检查.)
- 用户没有被锁定,否则没有一个请求会工作
- --用户是活动的
- --必须验证域证书在正确的位置,但是假设如果没有,所有请求都会失败。
提出的一个想法是,IQService和域控制器之间的临时端口(1024-65535)可能存在问题。对测试和验证这一理论的方法有什么建议吗?谢谢!!
更新:
使用以下命令打开已验证的端口:
netsh int ipv4 set dynamicport tcp start=1024 num=64511
netsh int ipv4 show dynamicport TCP更新:添加部分application.xml
<entry key="domainSettings">
<value>
<List>
<Map>
<entry key="authenticationType" value="simple"/>
<entry key="authorizationType" value="simple"/>
<entry key="domainDN" value="%%AD_DOMAIN_DN%%"/>
<entry key="domainIterateSearchFilter"/>
<entry key="domainNetBiosName"/>
<entry key="forestName" value="%%AD_FOREST%%"/>
<entry key="password" value="%%AD_PASSWORD%%"/>
<entry key="port" value="636"/>
<entry key="servers">
<value>
<List>
<String>%%AD_DOMAIN_SERVER%%</String>
</List>
</value>
</entry>
<entry key="useSSL">
<value>
<Boolean>%%AD_IQSERVICE_TLS%%</Boolean>
</value>
</entry>
<entry key="user" value="%%AD_USER%%"/>
</Map>
</List>
</value>
</entry>来自IQService的一些附加日志:
03/04/2022 11:40:19 : RpcHandler [ Thread-11 ] DEBUG : "Initiating the serviceState for 122"
03/04/2022 11:40:19 : RpcHandler [ Thread-11 ] INFO : "Calling Service [ADConnector] and method[testConfiguration] "
03/04/2022 11:40:19 : Impersonator [ Thread-11 ] DEBUG : "Authenticating as User [svcAccount] domain [dom]"
03/04/2022 11:40:19 : Impersonator [ Thread-11 ] DEBUG : "User [svcAccount] domain [dom] -> Authenticated"
03/04/2022 11:40:19 : AbstractConnector [ Thread-11 ] DEBUG : "ENTER AbstractConnector"
03/04/2022 11:40:19 : AbstractConnector [ Thread-11 ] DEBUG : "EXIT AbstractConnector"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER prepare"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT prepare"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER testConfiguration"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=users,ou=tii,dc=dom,dc=foo,dc=test]"
03/04/2022 11:40:19 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=users,ou=tii,dc=dom,dc=foo,dc=test] original [ou=users,ou=tii,dc=dom,dc=foo,dc=test]"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:40:19 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=users,ou=tii,dc=dom,dc=foo,dc=test, User=svcAccount@dom.foo.test authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "Failed to connect to the URL : LDAP://server.dom.foo.test/ou=users,ou=tii,dc=dom,dc=foo,dc=test : The server is not operational.
"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] ERROR : "Caught exception in testConfigurationSystem.Exception: Failed to connect to the server for ou=users,ou=tii,dc=dom,dc=foo,dc=test:The server is not operational. . HRESULT:[0x8007203A]
at sailpoint.services.ADConnectorServices.bind(String distinguishedName, Boolean isCrossForest, Boolean isCrossDomain, String serverToBind, Boolean isCrossDomainMove, Boolean bindForShadow)
at sailpoint.services.ADConnectorServices.doTestConfiguration(Hashtable registry)"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:40:49 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test] original [ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:40:49 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test, User=svcAccount@dom.foo.test authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "Failed to connect to the URL : LDAP://server.dom.foo.test/ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test : The server is not operational.
"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] ERROR : "Caught exception in testConfigurationSystem.Exception: Failed to connect to the server for ou=fuu,ou=dom users,dc=dom,dc=foo,dc=test:The server is not operational. . HRESULT:[0x8007203A]
at sailpoint.services.ADConnectorServices.bind(String distinguishedName, Boolean isCrossForest, Boolean isCrossDomain, String serverToBind, Boolean isCrossDomainMove, Boolean bindForShadow)
at sailpoint.services.ADConnectorServices.doTestConfiguration(Hashtable registry)"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=users,ou=coo,dc=dom,dc=foo,dc=test]"
03/04/2022 11:41:19 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=users,ou=coo,dc=dom,dc=foo,dc=test] original [ou=users,ou=coo,dc=dom,dc=foo,dc=test]"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:41:19 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=users,ou=coo,dc=dom,dc=foo,dc=test, User=svcAccount@dom.foo.test authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "Failed to connect to the URL : LDAP://server.dom.foo.test/ou=users,ou=coo,dc=dom,dc=foo,dc=test : The server is not operational.
"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] ERROR : "Caught exception in testConfigurationSystem.Exception: Failed to connect to the server for ou=users,ou=coo,dc=dom,dc=foo,dc=test:The server is not operational. . HRESULT:[0x8007203A]
at sailpoint.services.ADConnectorServices.bind(String distinguishedName, Boolean isCrossForest, Boolean isCrossDomain, String serverToBind, Boolean isCrossDomainMove, Boolean bindForShadow)
at sailpoint.services.ADConnectorServices.doTestConfiguration(Hashtable registry)"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=boo,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:41:49 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=boo,ou=dom users,dc=dom,dc=foo,dc=test] original [ou=boo,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:41:49 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=boo,ou=dom users,dc=dom,dc=foo,dc=test, User=svcAccount@dom.foo.test authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT bind"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] INFO : "Bind to ou=boo,ou=dom users,dc=dom,dc=foo,dc=test is Successful"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "Parent Container is: LDAP://server.dom.foo.test/ou=dom users,dc=dom,dc=foo,dc=test"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER bind"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "ENTER buildURLFromIdentity"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] INFO : "Server [server.dom.foo.test] DN [ou=joo,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:42:04 : Util [ Thread-11 ] DEBUG : "FQDN for server.dom.foo.test: server.dom.foo.test"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "Derived URL[LDAP://server.dom.foo.test/ou=joo,ou=dom users,dc=dom,dc=foo,dc=test] original [ou=joo,ou=dom users,dc=dom,dc=foo,dc=test]"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT buildURLFromIdentity"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] INFO : "Bind with User new DirectoryEntry(LDAP://server.dom.foo.test/ou=joo,ou=dom users,dc=dom,dc=foo,dc=test, User=svcAccount@dom.foo.test authType=SecureSocketsLayer, ServerBind)"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] DEBUG : "EXIT bind"
03/04/2022 11:42:04 : ADConnectorServices [ Thread-11 ] INFO : "Bind to ou=joo,ou=dom users,dc=dom,dc=foo,dc=test is Successful"回答 1
Stack Overflow用户
发布于 2022-03-10 07:33:35
·您遇到了此错误,因为‘Application.xml’文件不包含通过IQ服务连接器连接到are的正确配置。“application.xml”文件应该包含以下列格式包含DC服务器的详细信息的配置。
现有的‘application.xml’配置如下:
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=example,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”/>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”EXAMPLE\Administrator”/>
</Map>
</List>
</value>
</entry>New‘application.xml’配置如下:
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=example,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”>
<value>
<List>
<String>172.16.153.185</String>
</List>
</value>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”EXAMPLE\Administrator”/>
</Map>
</List>
</value>
</entry>·通过进行上述更改,您的IQ服务应该能够‘测试’连接到您在‘application.xml’文件中指定的域控制器IP。同时,还确保sailpoint IQ服务所需的端口从成员服务器打开到域控制器,以及内部AD复制端口也被打开,如下所述:
TCP 135,137,138,139,445,389,636,3268,3269,88,53,1512,42,49152-65535.这些端口与有关AD的各种服务相关联,例如,RPC端点映射器、DNS、WINS解析、复制、RPC动态端口等。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/71386604
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号