SAP Knowledge Base Article - Public

3505973 - Certificate based authentication request from IPS side returns an error "[AUTH0032]Invalid client certificate"

Symptom

Instead of Basic Authentication, a certificate based authentication is set up in IPS>Source System for IPS sync job to read SF users.

However, when running the read job in IPS, it returns error 

Cannot execute provisioning job in tenant context: xxxxxxxxxx 
Caused by: Error during execution on behalf of tenant with ID: xxxxxxxxxx 
Caused by: Executing delta load failed. 
Caused by: HTTP operation failed invoking https://api15preview.cert.sapsf.cn/rest/iam/scim/v2/Users?startId=initial&count=100&filter=active%20eq%20true with statusCode: 401 and body {"error":{"code":"AuthenticationFailed","message":"Authentication service failed to return token.","details":"[AUTH0032]Invalid client certificate"}} 
Caused by: HTTP operation failed invoking https://api15preview.cert.sapsf.cn/rest/iam/scim/v2/Users?startId=initial&count=100&filter=active%20eq%20true with statusCode: 401, Response: {"error":{"code":"AuthenticationFailed","message":"Authentication service failed to return token.","details":"[AUTH0032]Invalid client certificate"}}

Environment

SAP SuccessFactors HCM suite all versions

Reproducing the Issue

1. Login IPS admin console page.

2. Go to Source System>Property.

3. Confirm that Authentication field is set as ClientCertificateAuthentication.

4. Go to Jobs and run the read user job.

5. The job failed with an error code "[AUTH0032]Invalid client certificate".

Cause

The uploaded certificate in SF Security Center might not get synchronized correctly even all configurations and certificate are confirmed set up correctly according to KBA 3312844 - Error 401 when using Client Certificate based authentication in IPS connection to SuccessFactors.

Resolution

After confirming all the configurations are correct and certificate Fingerprint is matched in SF and IPS sides, please have a try to delete the existing X509 certificate in SF Security Center and upload the same X509 certificate again which is downloaded from IPS>Outbound Certificate.

If the same error still occurs after re-uploading the certificate, please raise a ticket to SAP support with the component LOD-SF-PLT-IAS for further investigation.

See Also

  • KBA 3312844 - Error 401 when using Client Certificate based authentication in IPS connection to SuccessFactors

Keywords

[AUTH0032]Invalid client certificate, Client Certificate based authentication, Certificate, ClientCertificateAuthentication, AUTH0032, IPS, Read job failed  , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , Problem

Product

SAP SuccessFactors HCM Suite all versions