Troubleshoot certificate-related problems

You might see the following certificate-related errors in your Google Cloud Directory Sync (GCDS) log file:

  • sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • ldap_simple_bind_s() failed: Strong Authentication Required

Follow the steps below to fix these errors. 

On this page

Fix certificate-related errors

Expand section  |  Collapse all & go to top

Steps for Microsoft Windows

Update the vmoption file 

  1. Close Configuration Manager.
  2. In the installation directory of GCDS, open the sync-cmd.vmoptions and config-manager.vmoptions files.

    The installation directory is usually C:\Program Files\Google Cloud Directory Sync.

  3. Edit the files to add the following lines:

    -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
    -Djavax.net.ssl.trustStoreType=Windows-ROOT
    -Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl
    -Dcom.sun.jndi.ldap.connect.pool.authentication=none simple

  4. Restart Configuration Manager and go to the LDAP Configuration page.
  5. For Connection type, specify LDAP+SSL.
  6. For Port choose an option:
    • If you previously used 389, specify 636
    • If you previously used 3268, specify 3269.
  7. Click Test connection.
  8. If you get:
    • A certificate error–On the computer where GCDS is running, make sure that the certificate is trusted by Windows. Then, proceed to Step 2: Import the server certificate (below on this page).
    • A certificate revocation checking error–Follow the steps in How GCDS checks certificate revocation lists.
    • Other errors (for example, network errors)–Go to Troubleshoot common GCDS issues.

Import the server certificate

You can also use these steps to import certificates for LDAP servers or HTTP proxies that use self-signed certificates.

  1. Sign in to the domain controller and open a command prompt.
  2. To export the domain controller certificate, enter the following command:

    certutil -store My DomainController dccert.cer

  3. Copy the dccert.cer file to the server where GCDS is installed.
  4. As an administrator, open a command prompt.
  5. To open the GCDS Java Runtime Environment (JRE) installation folder, enter the following command:

    cd "c:\Program Files\Google Cloud Directory Sync\jre"

    If you're running a 32-bit version of GCDS that is installed on a 64-bit Windows system use cd "c:\Program Files (x86)\Google Cloud Directory Sync\jre"

  6. To import the domain controller's certificate, enter the following command:

    bin\keytool -keystore lib\security\cacerts -storepass changeit -import -file c:\dccert.cer -alias mydc

    If you need to import more than one certificate, repeat these steps using a different alias in place of mydc.

  7. Enter Yes to trust the certificate.
  8. Close Configuration Manager.
  9. In the installation directory of GCDS, using a text editor, open the sync-cmd.vmoptions and config-manager.vmoptions files.
  10. In each file, remove:

    -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
    -Djavax.net.ssl.trustStoreType=Windows-ROOT

    When you remove the lines, GCDS uses the certificate store in lib/security/cacerts instead of the Windows system store.

  11. Open Configuration Manager, go to the LDAP Configuration page, and click Test Connections.
  12. If you're still seeing certificate-related errors, you might need to import your organization's Certificate Authority (CA) certificate rather than your domain controller certificate. To do this, repeat these steps but export and import the CA certificate instead.
Steps for Linux

You can also use these steps to import certificates for LDAP servers or HTTP proxies that use self-signed certificates.

  1. Sign in to the domain controller and open a command prompt.
  2. To locate the domain certificate, enter the following command:

    certutil -store My DomainController dccert.cer

  3. Copy the dccert.cer file to the server where GCDS is installed.
  4. To open the GCDS Java Runtime Environment (JRE) installation folder, open a command prompt and enter the following command:

    cd ~/GoogleCloudDirSync/jre

  5. To import the domain controller's certificate, enter following command:

    bin/keytool -keystore lib/security/cacerts -storepass changeit -import -file ~/dccert.cer -alias mydc

    If you need to import more than one certificate, repeat these steps using a different alias in place of mydc.

  6. Enter Yes to trust the certificate.
  7. Close Configuration Manager.
  8. In the installation directory of GCDS, using a text editor, open the sync-cmd.vmoptions and config-manager.vmoptions files.

    The installation directory is usually ~/GoogleCloudDirSync.

  9. In each file, remove:

    -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
    -Djavax.net.ssl.trustStoreType=Windows-ROOT

    When you remove the lines, GCDS uses the certificate store in lib/security/cacerts instead of the Windows system store.

  10. Open Configuration Manager, go to the LDAP Configuration page, and click Test Connections.
  11. If you're still seeing certificate-related errors, you might need to import your organization's Certificate Authority (CA) certificate rather than your domain controller certificate. To do this, repeat these steps but export and import the CA certificate instead.

How GCDS checks certificate revocation lists

GCDS needs to validate Secure Sockets Layer (SSL) certificates when connecting to Google APIs (over HTTPS) and to LDAP over SSL. GCDS does this by retrieving certificate revocation lists (CRLs) from Certificate Authorities over HTTP. Sometimes, these validations fail, usually due to a proxy or firewall blocking the HTTP request.

Make sure the GCDS server can access the following URLs over HTTP (port 80):

  • http://crl.pki.goog
  • http://crls.pki.goog
  • http://c.pki.goog

For details on current CRLs, go to CRL check. Additional URLs might be needed if you're using your own certificates for LDAP over SSL.

If you can't allow CRL access, you can turn off CRL checks:

  1. In the installation directory of GCDS, open the sync-cmd.vmoptions and config-manager.vmoptions files using a text editor.

    The installation directory is usually C:\Program Files\Google Cloud Directory Sync (Windows) or ~/GoogleCloudDirSync (Linux).

  2. Add these lines to the files:

    -Dcom.sun.net.ssl.checkRevocation=false
    -Dcom.sun.security.enableCRLDP=false

Sync is slow after switching to LDAP+SSL

If you have switched to LDAP+SSL and your sync process has slowed: 

  1. Close Configuration Manager.
  2. In the installation directory of GCDS open the sync-cmd.vmoptions and config-manager.vmoptions files using a text editor.

    The installation directory is usually C:\Program Files\Google Cloud Directory Sync (Windows) or ~/GoogleCloudDirSync (Linux).

  3. Edit the files to add the following lines:

    -Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl
    -Dcom.sun.jndi.ldap.connect.pool.authentication=none simple

  4. Save the files and retry the sync.

Ensure authentication after Microsoft ADV190023 update

If you're using Microsoft Active Directory with channel binding and LDAP signing turned on, you must take additional steps to ensure that GCDS authenticates using LDAP over SSL. Otherwise, GCDS won’t connect to Active Directory and your synchronizations will fail. You need to take these steps even if you previously ran a sync using Standard LDAP authentication. For details on Microsoft advisory ADV190023, see your Microsoft documentation.

If you're already successfully using LDAP over SSL, you don't need to take any steps.

Expand section  |  Collapse all & go to top

Step 1: Turn on TLS in Active Directory

The terms TLS and SSL are often used interchangeably. 

To turn on TLS in Active Directory, consult these Microsoft articles:

Step 2: Ensure that the certificate is trusted

The Certificate Authority (CA) that signed your domain controller’s certificate must be trusted by GCDS. Most well-known internet CAs, such as Verisign, Comodo, and Let's Encrypt, are trusted. If you use these CAs, you can skip this step.

If your CA is not trusted or if you're using your own root CA, follow the steps above in Fix certificate-related errors.
Step 3: Set up Configuration Manager
  1. Open Configuration Manager and go to the LDAP Configuration page.
  2. For the Connection type setting, specify LDAP+SSL.
  3. For the Port setting, specify 636 (if you previously used 389) or 3269 (if you previously used 3268).
  4. Click Test connection.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
16978439905337466622
true
Search Help Center
true
true
true
true
true
73010
false
false