Azure AD certificate error–PKIX path building failed in ADAudit Plus

Azure AD certificate error–PKIX path building failed in ADAudit Plus

In this article:  

  • Issue description

  • Prerequisites

  • Possible causes

  • Resolution

  • Related topics and articles

  • How to reach support

Issue description  

When attempting to collect Azure AD events in ADAudit Plus, the following certificate-related error might occur:

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This error indicates that the required Azure AD SSL certificate chain is not trusted by ADAudit Plus, preventing secure communication with Azure endpoints.

Prerequisites  

Ensure the following before proceeding:

  • Access to the ADAudit Plus application server.

  • Administrative privileges on the ADAudit Plus server.

  • Internet access to reach Microsoft endpoints, such as login.microsoftonline.com and graph.microsoft.com.

  • The ADAudit Plus installation directory path.

Possible causes  

  • The Azure AD root or intermediate certificate is not present in the Java trust store (cacerts) of ADAudit Plus.

  • The application is unable to verify the SSL certificate of Azure endpoints due to a missing certificate chain.

  • A proxy server certificate might also be required if the server connects to the internet via proxy.

Resolution  

Step 1: Export certificates from Azure endpoints  

  1. Open a browser on the ADAudit Plus server.

  2. Navigate to:

  1. Click the padlock icon in the browser’s address bar and view the certificate chain.

  2. Export the required certificates in .cer format.

  3. Save the exported certificates to the following folder:
    <Installation_Directory>\jre\bin\

Step 2: Import certificates into the Java Trust Store  

  1. Launch Command Prompt as Administrator.

  2. Navigate to the following path:
    <Installation_Directory>\jre\bin

  3. Run the following command to import the certificate:

  4. keytool -import -alias login_cert -keystore "<Installation_Directory>\jre\lib\security\cacerts" -file login.microsoftonline.com.cer

  5. Replace login_cert with an appropriate alias and login.microsoftonline.com.cer with the exported file name.

  6. Enter the default keystore password when prompted: changeit

  7. Repeat the above steps to import the graph.microsoft.com certificate using a different alias.

Step 3: Import proxy certificate (If applicable)  

If ADAudit Plus accesses the internet through a proxy, export the proxy server’s SSL certificate and run:

keytool -import -alias proxy_cert -keystore "<Installation_Directory>\jre\lib\security\cacerts" -file proxy.cer

Replace proxy_cert with a suitable alias and proxy.cer with your proxy certificate file name.

Step 4: Restart ADAudit Plus service  

  1. Open Services.msc on the server.

  2. Locate ManageEngine ADAudit Plus service.

  3. Right-click and select Restart.

Related topics and articles  

How to reach support  

If the issue persists, contact our support team here

      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products