TLS handshake failed

While Configuring an Active Directory in the agent, you may encounter the following error on the WSTEP tab of the on-premises PKIaaS Virtual Machine.

ErrorDialURL
url: ldap://<DOMAIN-CONTROLLER-FQDN>LDAP Result Code 200 "Network Error": TLS handshake failed (tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config)

See below for a list of possible causes and the corresponding solutions.

Missing LDAPS TLS certificate

The Domain Controller is missing a TLS certificate for LDAPS.

Issue resolution:

  1. Run the command described in Validating the LDAPS configuration

  2. If the output of the command does not contain an LDAPS TLS certificate, follow the steps described in Setting up LDAPS on domain controllers.

Invalid LDAPS TLS certificate

The Domain Controller does not have a valid TLS certificate for LDAPS connections.

Issue resolution: Check the following.

LDAPS TLS certificate not trusted

The root CA certificate of the LDAPS TLS certificate chain is not trusted.

Issue resolution: Verify the root CA certificate in the root Active Directory domain matches the root CA certificate imported when Configuring an Active Directory in the agent.

Incorrect DNS entries

The DNS server on your network might have an incorrect IP address for the Active Directory domain controller.

Issue resolution: Verify the IP address of the Active Directory domain controller is properly configured in the DNS server.