Troubleshoot certificate-related problems

You might see the following certificate-related errors in your Google Cloud Directory Sync (GCDS) log file:

  • sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
  • ldap_simple_bind_s() failed: Strong Authentication Required

Fix certificate-related errors

Step 1: Update the .vmoption files

Note: If you’re using Linux, skip this step and proceed to step 2

  1. Close Configuration Manager.
  2. In the installation directory of GCDS, open the sync-cmd.vmoptions and config-manager.vmoptions files.

    Note: The installation directory is usually C:\Program Files\Google Cloud Directory Sync.

  3. Edit the files to add the following lines:

    -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
    -Djavax.net.ssl.trustStoreType=Windows-ROOT
    -Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl
    -Dcom.sun.jndi.ldap.connect.pool.authentication=none simple

  4. Restart Configuration Manager and go to the LDAP Configuration page.
  5. For Connection type, specify LDAP+SSL.
  6. For Port, specify 636 (if you previously used 389) or 3269 (if you previously used 3268). 
  7. Click Test connection.
  8. If you still see a certificate error:
  9. If you’re still seeing a certificate-related error, proceed to step 2 below. If you’re seeing other errors (for example, network errors), refer to Troubleshoot common GCDS issues.
Step 2: Import the server certificate

You can also use these steps to import certificates for LDAP servers or HTTP proxies that use self-signed certificates.

  1. Sign in to the domain controller.
  2. Open a command prompt (CMD) or terminal window.
  3. Enter certutil -store My DomainController dccert.cer.
  4. Copy the dccert.cer file to the server where GCDS is installed.
  5. Sign in to the server where GCDS is installed.
  6. Open a command prompt (CMD) or terminal window.

    On Windows, make sure you're running the command prompt as an administrator.

  7. Enter one of the following commands to open the GCDS Java Runtime Environment (JRE) installation folder:
    • For Microsoft Windows, enter cd "c:\Program Files\Google Cloud Directory Sync\jre".
    • For 32-bit GCDS installed on a 64-bit Windows system, enter cd "c:\Program Files (x86)\Google Cloud Directory Sync\jre".
    • For Linux, enter cd ~/GoogleCloudDirSync/jre.
  8. Enter one of the following commands to import the domain controller's certificate:
    • For Windows, enter bin\keytool -keystore lib\security\cacerts -storepass changeit -import -file c:\dccert.cer -alias mydc.
    • For Linux, enter bin/keytool -keystore lib/security/cacerts -storepass changeit -import -file ~/dccert.cer -alias mydc.

      Note: If you need to import more than one certificate, repeat these steps using a different alias in place of "mydc".

  9. Enter Yes to trust the certificate.
  10. Close Configuration Manager.
  11. In the installation directory of GCDS, open the sync-cmd.vmoptions and config-manager.vmoptions files.

    Note: The installation directory is usually C:\Program Files\Google Cloud Directory Sync (Windows) or ~/GoogleCloudDirSync (Linux).

  12. In each file, remove:

    -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
    -Djavax.net.ssl.trustStoreType=Windows-ROOT

    Note: Removing the lines means that GCDS uses the certificate store in lib/security/cacerts instead of the Windows system store. 

  13. Open Configuration Manager, go to the LDAP Configuration page, and click Test Connections to confirm you can connect to your LDAP server.
  14. If you're still seeing certificate-related errors, you might need to import your organization's Certificate Authority (CA) certificate rather than your domain controller certificate. To do this, repeat the steps above but export and import the CA certificate instead.

How GCDS checks certificate revocation lists

GCDS needs to validate Secure Sockets Layer (SSL) certificates when connecting to Google APIs (over HTTPS) and to LDAP over SSL. GCDS does this by retrieving certificate revocation lists (CRLs) from Certificate Authorities over HTTP. Sometimes, these validations fail, usually due to a proxy or firewall blocking the HTTP request.

Make sure the GCDS server can access the following URLs over HTTP (port 80):

  • http://crl.geotrust.com/crls/gtglobal.crl
  • http://g.symcb.com/crls/gtglobal.crl
  • http://crl.pki.goog/GTS1O1core.crl
  • http://crl.pki.goog/gsr2/gsr2.crl

For details on current CRLs, go to CRL check.

Additional URLs might be needed if you're using your own certificates for LDAP over SSL.

If you can't enable CRL access, you can disable CRL checks. To do so, edit the sync-cmd.vmoptions and config-manager.vmoptions files in the installation directory of GCDS and add these lines:

-Dcom.sun.net.ssl.checkRevocation=false
-Dcom.sun.security.enableCRLDP=false

Sync is slow after switching to LDAP+SSL

If you have switched to LDAP+SSL and your sync process has slowed: 

  1. Close Configuration Manager.
  2. In the installation directory of GCDS open the sync-cmd.vmoptions and config-manager.vmoptions files using a text editor.
    Note: The installation directory is usually C:\Program Files\Google Cloud Directory Sync (Windows) or ~/GoogleCloudDirSync (Linux).
  3. Edit the files to add the following lines:
    -Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl
    -Dcom.sun.jndi.ldap.connect.pool.authentication=none simple
  4. Save the files and retry the sync.

Ensure authentication after Microsoft ADV190023 update

If you're using Microsoft Active Directory with enabled channel binding and LDAP signing, you must take additional steps to ensure that Google Cloud Directory Sync (GCDS) authenticates using LDAP over SSL. Otherwise, GCDS won’t connect to Active Directory and your synchronizations will fail. You need to take these steps even if you previously ran a sync using Standard LDAP authentication. For details on Microsoft advisory ADV190023, see your Microsoft documentation.

If you're already successfully using LDAP over SSL, you don't need to take any steps.

Step 1: Enable TLS in Active Directory

Note: The terms TLS and SSL are often used interchangeably. 

To enable TLS in Active Directory, see your Microsoft documentation on:

  • How to enable LDAP over SSL with a third-party certification authority
  • Creating custom secure LDAP certificates for domain controllers with auto renewal
  • Troubleshooting LDAP over SSL.
Step 2: Ensure that the certificate is trusted

The Certificate Authority (CA) that signed your domain controller’s certificate must be trusted by GCDS. Most well-known internet CAs, such as Verisign, Comodo, and Let's Encrypt, are trusted. If you use these CAs, you can skip this step. 

If your CA is not trusted or if you're using your own root CA, follow the steps above in Fix certificate-related errors.
Step 3: Set up Configuration Manager
  1. Open Configuration Manager and go to the LDAP Configuration page.
  2. For the Connection type setting, specify LDAP+SSL.
  3. For the Port setting, specify 636 (if you previously used 389) or 3269 (if you previously used 3268). 
  4. Click Test connection.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue