Version Affected: All
Webservices allow you to connect a realm on an IdP, such as in a DMZ, to a SecureAuth server on the internal network over 443 for the User lookup, rather than having to open us additional ports to your Datastores.
After a Certificate change on the internal server, the connection is failing and you see "Invalid User" when attempting to login to the WebService realm.
For the DMZ realm to connect to the internal data realm, the Cert needs to match the FQDN specified on the Datatab of the DMZ realm.
1. Open up the Admin Console on the DMZ server and navigate to the realm in question
2. On the Datatab, take a look at the FQDN you're using to reach the internal server
3. Check this resolves to the correct IP
4. On the Internal Server, check the binding cert matches the FQDN seen in step 2 (using the SAN part of the certificate is fine too)
5. If there is no match, either update the Cert so in includes a SAN for the FQDN you're using or consider using a different FQDN to match what is already in the Cert.
The best choice for Step5 depends on how many internal servers are involved and how your DNS is setup. If in doubt, reach out to support and refer to this article.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.