AD Driver - service user can't read password files

We have an AD Driver that is primarily a Publisher of info and passwords from AD to eDir. The Driver is running as a Remote Loader service on a Win2008 box, so a Win2016 box has been added to the domain as a member server, not a domain controller (yet).

The Driver service needs to log in as a domain user account rather than Local System to have the proper rights to AD. This is working fine on Win2008. However, on Win2016, when using the same service user, starting the service fails with this error: "Remote loader password and driver object password must be set".

The Driver is installed to C:\Novell\RemoteLoader. I looked in that directory and the files dxicert.pem and dxipkey.pem are present, which I assume are used for the passwords. I therefore believe the service account can't access this directory (or the specific files) due to rights--if the Driver is set to be Local System, it starts normally.

I've compared the Local System Policy permissions between Win2008 and Win2016 and haven't found anything obvious. The service user has the Log On As a Service permission.

Any suggestions?

eDirectory: 8.8.8 Latest SP
IDM: 4.6.2
AD Driver: 4.0.3.0 (64-bit)
Windows 2016 Data Center

Thanks!
Sam
Parents Reply Children