Error: The Certificate for the Domain Controller is Untrusted or Invalid
Problem
When connecting to a HP Anyware PCoIP Agent the client receives the error "The Certificate for the Domain Controller is Untrusted or Invalid."
Causes:
- The error generally means that the HP Anyware Connector was unable to communicate with the Domain Controller due to an LDAPS certificate issue. The HP Anyware Connector will only fetch the Domain Controller's certificate at the time of install or update. If the certificate has been changed or recently renewed the HP Anyware Connector will need to be updated to fetch the latest certificate.
- This error can also come if we use domain controller machine's IP address while updating or installing HP Anyware connector.
Resolution
Check that LDAPS is enabled on the Domain Controller, the LDAPS certificate is valid and not expired and the Domain Controller is using the correct certificate.
The easiest way to check is to make a TLS connection on the LDAPS port to the domain controller from the HP Anyware Connector VM. This will check if the HP Anyware Connector can reach the domain controller over port TCP 636.
openssl s_client -connect dc1.domain.com:636
also make sure that the certificate is not expired or otherwise invalid (ex: Incorrect Common Name or Subject Alternative Name)
openssl s_client -connect dc1.domain.com | openssl x509 -noout -dates
If the Domain Controller returns an expiration date in the past, then you will need to update the HP Anyware Connector to fetch the latest certificates.
See: How to update a HP Anyware Connector
- This error can also come if we use domain controller machine's IP address while installing or updating HP Anyware connector. We should use FQDN of domain controller machine. In certificate subject name, we generally have full qualified domain name of the machine we are trying to connect, so if we use IP address to connect to that machine then certificate validation fails.