Symptom
Instead of Basic Authentication, a certificate based authentication is set up in IPS>Source System for IPS sync job to read SF users.
However, when running the read job in IPS, it returns error
Cannot execute provisioning job in tenant context: xxxxxxxxxx
Caused by: Error during execution on behalf of tenant with ID: xxxxxxxxxx
Caused by: Executing delta load failed.
Caused by: HTTP operation failed invoking https://api15preview.cert.sapsf.cn/rest/iam/scim/v2/Users?startId=initial&count=100&filter=active%20eq%20true with statusCode: 401 and body {"error":{"code":"AuthenticationFailed","message":"Authentication service failed to return token.","details":"[AUTH0032]Invalid client certificate"}}
Caused by: HTTP operation failed invoking https://api15preview.cert.sapsf.cn/rest/iam/scim/v2/Users?startId=initial&count=100&filter=active%20eq%20true with statusCode: 401, Response: {"error":{"code":"AuthenticationFailed","message":"Authentication service failed to return token.","details":"[AUTH0032]Invalid client certificate"}}
Environment
SAP SuccessFactors HCM suite all versions
Reproducing the Issue
1. Login IPS admin console page.
2. Go to Source System>Property.
3. Confirm that Authentication field is set as ClientCertificateAuthentication.
4. Go to Jobs and run the read user job.
5. The job failed with an error code "[AUTH0032]Invalid client certificate".
Cause
The uploaded certificate in SF Security Center might not get synchronized correctly even all configurations and certificate are confirmed set up correctly according to KBA 3312844 - Error 401 when using Client Certificate based authentication in IPS connection to SuccessFactors.
Resolution
After confirming all the configurations are correct and certificate Fingerprint is matched in SF and IPS sides, please have a try to delete the existing X509 certificate in SF Security Center and upload the same X509 certificate again which is downloaded from IPS>Outbound Certificate.
If the same error still occurs after re-uploading the certificate, please raise a ticket to SAP support with the component LOD-SF-PLT-IAS for further investigation.
See Also
- KBA 3312844 - Error 401 when using Client Certificate based authentication in IPS connection to SuccessFactors
Keywords
[AUTH0032]Invalid client certificate, Client Certificate based authentication, Certificate, ClientCertificateAuthentication, AUTH0032, IPS, Read job failed , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , Problem