-
Title
Synchronization Editor Remote Connection Plugin error: "An existing connection was forcibly closed by the remote host." -
Description
Customers upgrading to version 9.2 of Identity Manager and are using the Remote Connect Plugin can face the error "An existing connection was forcibly closed by the remote host." Even after attempting to configure the Remote Connection Plugin following the documentation (RemoteConnectPlugin). -
Cause
The official documentation is not up to date and will be corrected with the following Change Requests:
#36075: To document the two authentication methods available for RemoteConnectPlugin.
#37430: To remove the mentions to the AuthenticationMethod field on the new documentation.
In addition, it will be mentioned that a certificate binding to the Remote Connect Plugin port should be used (as mentioned here: How to: Configure a Port with an SSL Certificate). -
Resolution
Reconfigure the Remote Connect Plugin to use one of the new authentication methods and configure the certificate on the corresponding port.
Example configuration for testing on the host where the JobService is running:
1. Create a certificate:
PS> powershell -Command "New-SelfSignedCertificate -DnsName localhost -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(10)"
2. Bind the certificate to the configured port: (To get your appid you can use the get-startapps command in Powershell, or use any, as it's an informed value for future reference)
PS> netsh http add sslcert ipport=0.0.0.0:<Port> certhash=<CertHash_OutputFromThePreviousPowershellCommand> appid={F06D38CA-DF0F-4D72-BC33-D3F6472A8DEE}
3. Add the permissions:
PS> netsh http add urlacl url=https://+:<Port>/Remoting/ user=Everyone listen=yes
4. Firewall rules for TCP traffic on the configured <Port>.
** JobService configuration
In JobServiceConfiguration we recommend the following values:
- switch to category Plugins -> RemoteConnectPlugin
- for "HttpBindAddress" set: +
- for "Port" set: 2880
- for "UseHttps" leave the checkbox marked.On the AuthMethod module selection we recommend to use "ADGroupAuthentication" and to provide the group SID of the allowed group. (The SecretAuthentication authentication method is recommended for containerized environments)