Users fail to authenticate and the following  error in the user event monitor:

Jut-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact directory server.

The cause is the connection between the Cloud Administration Console and the Active Directory is failing. This could be caused by various reasons, but few of the most popular reasons are:

• The account used in the LDAP binding is expired, disabled, locked, or its password has been expired or changed.
• If you are using LDAPS, the SSL certificate might be the issue if it was expired or changed on the Active Directory.
• The identity router might be distressed or down.
• A network issue.
• A configuration issue.

In this article we will focus on fixing the binding account issue and the SSL certificate.

To begin,

1. Log in to your Cloud Administration Console.
2. Go to User > Identity Sources.
3. Click on Edit for the identity source that is having a problem.
4. In the Identity Source Details section go down to:
   1. Directory servers:
      1. In the table that contains all the domain controllers listed for this Active Directory, edit each connection to change the binding account or its password.
      2. The edit button is a pencil shaped icon.
         
   2. SSL/TLS Certificates:
      1. If the certificate is missing, expired, or you just need to change it, you can change it in this section.
5. After doing the needed changes keep clicking on Next Step then Save and Finish.
6. Publish Changes to apply the changes that you made.
7. Try to authenticate again or manually sync the users.

If that didn't help fixing you issue, please contact RSA Technical Support for assistance.