Commodore
Commodore
1024 views

AD Driver Subscriber Password Reset: Access Denied

We have an AD Driver running on Windows 2012 that sets passwords from events received over the Subscriber channel. The service is logged in as Local System, and it works fine.

We are going to migrate it to Windows 2016 Datacenter server (DC), but attempts to set the password give the error Access Denied (error code 5). In both cases, IDM is 4.5.5 and the AD Driver is 4.0.2.1, the latest.

I did have a problem with the IDMPowerShellService being "blocked" by security. The AD Driver binaries were also blocked, but unblocking them didn't help.

I'd post log files but there really isn't any additional information other than "access denied." I'm going to look into LDAP logging on the DC.

Thanks for any help you can offer.

-- Sam S.
Labels (1)
0 Likes
10 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Zygomax;2467737 wrote:
We have an AD Driver running on Windows 2012 that sets passwords from events received over the Subscriber channel. The service is logged in as Local System, and it works fine.

We are going to migrate it to Windows 2016 Datacenter server (DC), but attempts to set the password give the error Access Denied (error code 5). In both cases, IDM is 4.5.5 and the AD Driver is 4.0.2.1, the latest.

I did have a problem with the IDMPowerShellService being "blocked" by security. The AD Driver binaries were also blocked, but unblocking them didn't help.

I'd post log files but there really isn't any additional information other than "access denied." I'm going to look into LDAP logging on the DC.

Thanks for any help you can offer.

-- Sam S.


I'd start with the obvious problems, make sure the domain controller supports SSL LDAP connections, and give the driver a domain admin account log in with. If that works, then you know it can work and only have to figure out why it's not.
Knowledge Partner Knowledge Partner
Knowledge Partner

On 10/09/2017 07:44 AM, dgersic wrote:
>
> Zygomax;2467737 Wrote:
>> We have an AD Driver running on Windows 2012 that sets passwords from
>> events received over the Subscriber channel. The service is logged in as
>> Local System, and it works fine.
>>
>> We are going to migrate it to Windows 2016 Datacenter server (DC), but
>> attempts to set the password give the error Access Denied (error code
>> 5). In both cases, IDM is 4.5.5 and the AD Driver is 4.0.2.1, the
>> latest.
>>
>> I did have a problem with the IDMPowerShellService being "blocked" by
>> security. The AD Driver binaries were also blocked, but unblocking them
>> didn't help.
>>
>> I'd post log files but there really isn't any additional information
>> other than "access denied." I'm going to look into LDAP logging on the
>> DC.
>>
>> Thanks for any help you can offer.
>>
>> -- Sam S.

>
> I'd start with the obvious problems, make sure the domain controller
> supports SSL LDAP connections, and give the driver a domain admin


LDAPS only matters if you are connecting from a different machine; if the
Remote Loader (RL) is on the domain controller (DC) itself, that is not
applicablel Also, I would expect something other than Access Denied if
the TLS/SSL part did not work, since access denied is an authorization
message coming up at the application layer.

> account log in with. If that works, then you know it can work and only
> have to figure out why it's not.


Yes, at the end of the day this sounds like (no Trace, so having that may
help, specifically level five (5) from the Remote Loader side) microsoft
active directory (MAD) refusing to accept your request, so you should
check with the domain admins to see what they can figure out. Identity
Manager (IDM) is not able to override application settings, as that would
imply something terrible about the application's security.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
Knowledge Partner Knowledge Partner
Knowledge Partner

I did have a problem with the IDMPowerShellService being "blocked" by security. The AD Driver binaries were also blocked, but unblocking them didn't help.

Hi Sam,
Where exactly you can see that service blocked? Do you see it in EventViewer?

We are going to migrate it to Windows 2016 Datacenter server (DC), but attempts to set the password give the error Access Denied (error code 5).

Is it message form IDM/remoteLoader trace?

Could you provide RL/IDM trace (level 5) as Aaron suggested?

Alex
Knowledge Partner Knowledge Partner
Knowledge Partner

Do you see in EventViewer any MS-specific events?
For example something like "Could not write changed password to AD. Error 0x80070032."

Access Denied (error code 5) is very generic LDAP (?) error message.
It can be LDAP bind error. No access to specific attribute. No permissions to update specific attribute. No permission to update registry. etc
0 Likes
Commodore
Commodore

al_b;2467749 wrote:
Hi Sam,
Where exactly you can see that service blocked? Do you see it in EventViewer? Is it message form IDM/remoteLoader trace?


Not in my case; you look at the Properties of the (e.g. EXE) file and it will say it is blocked, with the option to unblock. Nothing is blocked any more, plus the AD Driver performs all other operations except password set.

LDAPS only matters if you are connecting from a different machine; if the
Remote Loader (RL) is on the domain controller (DC) itself, that is not
applicablel Also, I would expect something other than Access Denied if
the TLS/SSL part did not work, since access denied is an authorization
message coming up at the application layer.


Sorry, didn't mention that the engine side is a SLES 11 box, communicating with the Windows DC using the Remote Loader.

Could you provide RL/IDM trace (level 5) as Aaron suggested?


I'll look into it.

I'm going to try David Gersic's suggestion of setting the service logon user to an AD administrative account. I can't really do this until 4pm ET though. I'm going to check with the Domain admins about their development/test environment.

Thanks!
Sam
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Zygomax <Zygomax@no-mx.forums.microfocus.com> wrote:
>

al_b;2467749 Wrote:
> Hi Sam,
> Where exactly you can see that service blocked? Do you see it in
> EventViewer? Is it message form IDM/remoteLoader trace?
>


Pretty sure that 2016 domain controller requires 4.6 RL and latest AD shim
(engine can be 4.5).



Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Commodore
Commodore

alexmchugh;2467774 wrote:


Pretty sure that 2016 domain controller requires 4.6 RL and latest AD shim
(engine can be 4.5).


I tried upgrading to 4.6.1 but I got the same error. That's what I have time for today. I hope to reproduce it in a test environment tomorrow.

Thanks,
Sam
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Zygomax <Zygomax@no-mx.forums.microfocus.com> wrote:
>
> I tried upgrading to 4.6.1 but I got the same error.


Guess you checked all the standard stuff that usually fixes this. Setting
just username, no domain in authentication ID field. Clearing auth
context.


Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Commodore
Commodore

alexmchugh;2467791 wrote:


Guess you checked all the standard stuff that usually fixes this. Setting
just username, no domain in authentication ID field. Clearing auth
context.


I had not checked. Spent some time but was able to reproduce this in a test setting. Clearing the authentication context fixed it! Thanks Alex!

-- Sam
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 10/11/2017 9:44 AM, Zygomax wrote:
>
> alexmchugh;2467791 Wrote:
>>
>>
>> Guess you checked all the standard stuff that usually fixes this.
>> Setting
>> just username, no domain in authentication ID field. Clearing auth
>> context.

>
> I had not checked. Spent some time but was able to reproduce this in a
> test setting. Clearing the authentication context fixed it! Thanks Alex!


This is one of those super confusing things about the AD RL config. On
a DC, no auth context. On a member server, IP/DNS name of a DC.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.