search

lithnet / googleapps-managementagent

Google Workspace Management Agent for MIM 2016
MIT License
12 stars 4 forks source link

(Another) Unable to retrieve schema error #32

Closed IAmStevenJohnson closed 6 years ago

IAmStevenJohnson commented 6 years ago

Don't want to bother you with another one of these errors but your help on others' issues like this have been helpful to me. So maybe this will also help others.

I've got this working on our dev and production servers but on our test server I can't get past the Schema 1 screen when creating the MA. image

It seems to be an SSL/TLS issue but I can't figure out, or find, an answer. The registry settings for SCHANNEL Ciphers and Protocols are the same on all three servers.

So I thought I'd ask you here after much gnashing of teeth and running out of other ideas. Just to see if you have any thoughts on where to look next for a solution. Thanks for any help.

The event log error is this:

The extensible extension returned an unsupported error. The stack trace is: "System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace --- at Google.Apis.Http.ConfigurableMessageHandler.d59.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Google.Apis.Auth.OAuth2.Requests.TokenRequestExtenstions.d0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Google.Apis.Auth.OAuth2.ServiceAccountCredential.d19.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Google.Apis.Auth.OAuth2.ServiceCredential.d23.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Google.Apis.Auth.OAuth2.ServiceAccountCredential.d20.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Google.Apis.Auth.OAuth2.ServiceCredential.d21.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Google.Apis.Http.ConfigurableMessageHandler.d59.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Google.Apis.Requests.ClientServiceRequest`1.d33.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Google.Apis.Requests.ClientServiceRequest1.Execute() at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request, Int32 retryAttempts) at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request) at Lithnet.GoogleApps.SchemaRequestFactory.ListSchemas(String customerID) at Lithnet.GoogleApps.MA.SchemaBuilder.AddUserCustomSchema(MASchemaType type, IManagementAgentParameters config) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilder.cs:line 2474 at Lithnet.GoogleApps.MA.SchemaBuilder.GetUserSchema(IManagementAgentParameters config) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilder.cs:line 1293 at Lithnet.GoogleApps.MA.SchemaBuilder.GetSchema(String type, IManagementAgentParameters config) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilder.cs:line 51 at Lithnet.GoogleApps.MA.SchemaBuilder.GetSchema(IManagementAgentParameters config) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilder.cs:line 27 at Lithnet.GoogleApps.MA.ManagementAgent.GetSchema(KeyedCollection2 configParameters) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\ManagementAgent.cs:line 405 Forefront Identity Manager 4.1.3766.0"

ryannewington commented 6 years ago

Do you have a proxy for fiddler installed? The error message is complaining about the certificate itself.

The remote certificate is invalid according to the validation procedure

If you need to disable certificate validation, you can do so by modifying the miiserver.exe.config file (provided you are running the MA in process)

<configuration>
  <configSections> <!-- add the line below if there is an existing <configSections> element -->
    <section name="lithnet-google-ma" type="Lithnet.GoogleApps.MA.MAConfigurationSection, Lithnet.GoogleApps.MA" />
  </configSections>

  <lithnet-google-ma http-debug-enabled="true"/>

...
</configuration>
IAmStevenJohnson commented 6 years ago

Ryan, thanks for your response. I don't have a fiddler proxy installed. But we do go through a regular web proxy. I tried disabling certificate validation as you mentioned, but that didn't see to make any difference.

However, we did find the solution. I was logged into the FIM server with my credentials and changed the proxy from our normal autoproxy script to a specific server proxy. That was enough to get us through the initial connectivity screen on the MA. But since the FIM Sync service runs under a service account, we had to login with that service account and change the proxy server for it too. Then we were able to read the schema no problem.

So thanks for your help and for this MA. Really appreciate it. We'll be running a test shortly with a couple hundred thousand user accounts. If that works well and we move to production, we'll be attempting it with groups--including some large ones. Hoping this can replace GCDS.

ryannewington commented 6 years ago

Glad to hear you got it sorted. Am using it myself in production with 200k users and about 50k groups, so you should be fine. If you run into any issues reach out.