Anonymous_User Absent Member.
Absent Member.
2335 views

AD driver Publisher channel won't work


Hi everyone,

I'm using Identity Manager 4.02 Advanced edition & Active directory
driver in a remote installation on Windows server only (everything on a
windows server and the domain controller stays untouched) both servers
(the domain controller & the one hosting identity manager) are Windows
Server 2008 R2.
I've successfully deployed and started the active directory driver,
however on the publisher channel no events are captured (on the other
hand, the suscriber channel works just fine) and there's no entitlement
implemented.
The "User" class is synchronized in the filter (for both publisher and
suscriber) but I don't catch anything (creation, modification, ...) in
the log file (maximum trace level).
Is there specific configuration on the AD, I need to do ?
I've run out of solutions, so any help would be much appreciated!


--
karimbouami
------------------------------------------------------------------------
karimbouami's Profile: https://forums.netiq.com/member.php?userid=6191
View this thread: https://forums.netiq.com/showthread.php?t=49520

Labels (1)
0 Likes
42 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work

As always, post the trace. In particular, post the startup trace,
preferably from the Remote Loader (RL) side or wherever the driver shim is
running since that will show the connection to microsoft active directory
(MAD) which will likely be helpful.

Also, is this prod/dev/other and has it ever worked in another
environment? What kind of system is the box running the shim in relation
to the domain (outside the domain, member server, etc.)?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work

And be sure you've gone through this correctly:

https://www.netiq.com/documentation/idm402drivers/ad/data/bp7wru3.html

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work


ab;238350 Wrote:
> As always, post the trace. In particular, post the startup trace,
> preferably from the Remote Loader (RL) side or wherever the driver shim
> is
> running since that will show the connection to microsoft active
> directory
> (MAD) which will likely be helpful.
>
> Also, is this prod/dev/other and has it ever worked in another
> environment? What kind of system is the box running the shim in
> relation
> to the domain (outside the domain, member server, etc.)?
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


It's a dev environment so no it didn't work before since it's the first
try.
I'm using a "remote installation on Windows server only", so there's no
remote loader and all components are on a Windows Server that is part of
the domain.
The connection to the AD works fine and the driver access the schema and
import the attributes, but after the startup of the driver, no activity
is catched on the Publisher channel. Since the trace is huge (more than
14K lines), you'll find below some important parts of the trace:


[12/18/13 16:26:15.556]:AD_AU ST:ADDriver: Driver::getSchema()

[12/18/13 16:26:15.557]:AD_AU ST:ADDriver: MadDriver::onInit()
[12/18/13 16:26:15.557]:AD_AU ST:ADDriver: MadConnMgr::initialize
[12/18/13 16:26:15.558]:AD_AU ST:ADDriver: rootDSE information needed.

[12/18/13 16:26:15.558]:AD_AU ST:ADDriver: Make unauthenticated
connection to rootDSE

[12/18/13 16:26:16.160]:AD_AU ST:ADDriver: unauthenticated connection to
rootDSE succeeded

[12/18/13 16:26:16.161]:AD_AU ST:ADDriver: read rootDSE information
[12/18/13 16:26:16.162]:AD_AU ST:ADDriver:
LDAP Session Information

LDAP version: 3
Domain DNS name:
Server DNS name: WIN2008-64-Ad-Vallorec-Audrain.VLRAD.LOC
Host reachable: 1
Using SSL: 0
Client error: (0) - Opération réussie
Server error: -
Dereference aliases: 0 - never
Referals: 1 - on
Auto-reconnect: 1
Getdsname flags: 0
Sspi flags: 4002
Keep alive: 120
Ping limit: 4
Ping wait time: 2000

[12/18/13 16:26:16.164]:AD_AU ST:ADDriver: Supported server side LDAP
controls:
1.2.840.113556.1.4.319 - LDAP_PAGED_RESULT_OID_STRING
1.2.840.113556.1.4.801 - LDAP_SERVER_SD_FLAGS_OID
1.2.840.113556.1.4.473 - LDAP_SERVER_SORT_OID
1.2.840.113556.1.4.528 - LDAP_SERVER_NOTIFICATION_OID
1.2.840.113556.1.4.417 - LDAP_SERVER_SHOW_DELETED_OID
1.2.840.113556.1.4.619 - LDAP_SERVER_LAZY_COMMIT_OID
1.2.840.113556.1.4.841 - LDAP_SERVER_DIRSYNC_OID
1.2.840.113556.1.4.529 - LDAP_SERVER_EXTENDED_DN_OID
1.2.840.113556.1.4.805 - LDAP_SERVER_TREE_DELETE_OID
1.2.840.113556.1.4.521 - LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID
1.2.840.113556.1.4.970 -
1.2.840.113556.1.4.1338 - LDAP_SERVER_VERIFY_NAME_OID
1.2.840.113556.1.4.474 - LDAP_SERVER_RESP_SORT_OID
1.2.840.113556.1.4.1339 - LDAP_SERVER_DOMAIN_SCOPE_OID
1.2.840.113556.1.4.1340 - LDAP_SERVER_SEARCH_OPTIONS_OID
1.2.840.113556.1.4.1413 - LDAP_SERVER_PERMISSIVE_MODIFY_OID
2.16.840.1.113730.3.4.9 -
2.16.840.1.113730.3.4.10 -
1.2.840.113556.1.4.1504 -
1.2.840.113556.1.4.1852 -
1.2.840.113556.1.4.802 -
1.2.840.113556.1.4.1907 -
1.2.840.113556.1.4.1948 -
1.2.840.113556.1.4.1974 -
1.2.840.113556.1.4.1341 -
1.2.840.113556.1.4.2026 -
1.2.840.113556.1.4.2064 -
1.2.840.113556.1.4.2065 -

Naming contexts & RootDSE Properties:
DC=VLRAD,DC=LOC
CN=Configuration,DC=VLRAD,DC=LOC
CN=Schema,CN=Configuration,DC=VLRAD,DC=LOC
DC=DomainDnsZones,DC=VLRAD,DC=LOC
DC=ForestDnsZones,DC=VLRAD,DC=LOC
default naming context: DC=VLRAD,DC=LOC
schema naming context: CN=Schema,CN=Configuration,DC=VLRAD,DC=LOC
configuration naming context: CN=Configuration,DC=VLRAD,DC=LOC
root domain naming context: DC=VLRAD,DC=LOC
forest functional level: Windows Server 2008 R2 Forest Mode
[12/18/13 16:26:16.173]:AD_AU ST:ADDriver: Connect using ldap_bind:
user=Administrateur, domain=VLRAD, password=***, method=negotiate,
server=WIN2008-64-Ad-Vallorec-Audrain.VLRAD.LOC, sign=no, seal=no
ssl=no

[12/18/13 16:26:16.182]:AD_AU ST:ADDriver: ldap_bind connection
succeeded

<source>
<product build="20120330_120000"
instance="\ALGECO-TREE\system\AlgecoDriverSet\AD_AU"
version="4.0.0.0">AD</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<init-params>
<publisher-state>
<cookie>INITIALIZE_COOKIE</cookie>
</publisher-state>
</init-params>
</input>
</nds>
[12/18/13 16:26:40.691]:AD_AU PT:Filtering out notification-only
attributes.
[12/18/13 16:26:40.691]:AD_AU PT:Pumping XDS to eDirectory.
[12/18/13 16:26:40.692]:AD_AU PT:
DirXML Log Event -------------------
Driver: \ALGECO-TREE\system\AlgecoDriverSet\AD_AU
Channel: Publisher
Status: Success

LDAP version: 3
Domain DNS name:
Server DNS name: WIN2008-64-Ad-Vallorec-Audrain.VLRAD.LOC
Host reachable: 1
Using SSL: 0
Client error: (0) - Opération réussie
Server error: -
Dereference aliases: 0 - never
Referals: 1 - on
Auto-reconnect: 1
Getdsname flags: 0
Sspi flags: 4002
Keep alive: 120
Ping limit: 4
Ping wait time: 2000

[12/18/13 16:26:41.512]:AD_AU PT:ADDriver: Supported server side LDAP
controls:
1.2.840.113556.1.4.319 - LDAP_PAGED_RESULT_OID_STRING
1.2.840.113556.1.4.801 - LDAP_SERVER_SD_FLAGS_OID
1.2.840.113556.1.4.473 - LDAP_SERVER_SORT_OID
1.2.840.113556.1.4.528 - LDAP_SERVER_NOTIFICATION_OID
1.2.840.113556.1.4.417 - LDAP_SERVER_SHOW_DELETED_OID
1.2.840.113556.1.4.619 - LDAP_SERVER_LAZY_COMMIT_OID
1.2.840.113556.1.4.841 - LDAP_SERVER_DIRSYNC_OID
1.2.840.113556.1.4.529 - LDAP_SERVER_EXTENDED_DN_OID
1.2.840.113556.1.4.805 - LDAP_SERVER_TREE_DELETE_OID
1.2.840.113556.1.4.521 - LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID
1.2.840.113556.1.4.970 -
1.2.840.113556.1.4.1338 - LDAP_SERVER_VERIFY_NAME_OID
1.2.840.113556.1.4.474 - LDAP_SERVER_RESP_SORT_OID
1.2.840.113556.1.4.1339 - LDAP_SERVER_DOMAIN_SCOPE_OID
1.2.840.113556.1.4.1340 - LDAP_SERVER_SEARCH_OPTIONS_OID
1.2.840.113556.1.4.1413 - LDAP_SERVER_PERMISSIVE_MODIFY_OID
2.16.840.1.113730.3.4.9 -
2.16.840.1.113730.3.4.10 -
1.2.840.113556.1.4.1504 -
1.2.840.113556.1.4.1852 -
1.2.840.113556.1.4.802 -
1.2.840.113556.1.4.1907 -
1.2.840.113556.1.4.1948 -
1.2.840.113556.1.4.1974 -
1.2.840.113556.1.4.1341 -
1.2.840.113556.1.4.2026 -
1.2.840.113556.1.4.2064 -
1.2.840.113556.1.4.2065 -
Naming contexts & RootDSE Properties:
DC=VLRAD,DC=LOC
CN=Configuration,DC=VLRAD,DC=LOC
CN=Schema,CN=Configuration,DC=VLRAD,DC=LOC
DC=DomainDnsZones,DC=VLRAD,DC=LOC
DC=ForestDnsZones,DC=VLRAD,DC=LOC
default naming context: DC=VLRAD,DC=LOC
schema naming context: CN=Schema,CN=Configuration,DC=VLRAD,DC=LOC
configuration naming context: CN=Configuration,DC=VLRAD,DC=LOC
root domain naming context: DC=VLRAD,DC=LOC
forest functional level: Windows Server 2008 R2 Forest Mode
[12/18/13 16:26:41.521]:AD_AU PT:ADDriver: Connect using ldap_bind:
user=Administrateur, domain=VLRAD, password=***, method=negotiate,
server=WIN2008-64-Ad-Vallorec-Audrain.VLRAD.LOC, sign=no, seal=no
ssl=no

[12/18/13 16:26:42.287]:AD_AU PT:ADDriver: ldap_bind connection
succeeded

[12/18/13 16:26:42.288]:AD_AU PT:ADDriver: [PWD 5744]
PassSyncCache::PassSyncCache()

[12/18/13 16:26:42.288]:AD_AU PT:ADDriver: [PWD]
PwdCrypt::GetPublicKey()

[12/18/13 16:26:42.289]:AD_AU PT:ADDriver: [PWD]
PwdCrypt::CreateKeyContainer()

[12/18/13 16:26:42.289]:AD_AU PT:ADDriver: [PWD] PwdCrypt::GetCspName()

[12/18/13 16:26:42.290]:AD_AU PT:ADDriver: [PWD] PwdCrypt::GetCspName()
returned 0X00000000

[12/18/13 16:26:42.304]:AD_AU PT:ADDriver: [PWD]
PwdCrypt::CreateKeyContainer() returned 0x00000005

[12/18/13 16:26:42.305]:AD_AU PT:ADDriver: [PWD]
PwdCrypt::GetPublicKey() returned 0x00000005

[12/18/13 16:26:42.305]:AD_AU PT:ADDriver: [PWD 5744 PassSyncCache() -
Error storing auth data 0x00000005

[12/18/13 16:26:42.306]:AD_AU PT:Receiving DOM document from
application.
[12/18/13 16:26:42.307]:AD_AU PT:
<nds dtdversion="2.2">
<source>
<product build="20120330_120000"
instance="\ALGECO-TREE\system\AlgecoDriverSet\AD_AU"
version="4.0.0.0">AD</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<status level="warning" type="driver-status">
<description>Password Sync Initialization Failed: Password Sync
has been Disabled.</description>
</status>
</input>
</nds>


--
karimbouami
------------------------------------------------------------------------
karimbouami's Profile: https://forums.netiq.com/member.php?userid=6191
View this thread: https://forums.netiq.com/showthread.php?t=49520

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work

On Wed, 18 Dec 2013 17:44:01 +0000, karimbouami wrote:

> I've successfully deployed and started the active directory driver,
> however on the publisher channel no events are captured (on the other
> hand, the suscriber channel works just fine) and there's no entitlement
> implemented.


Driver configuration / authentication. Your driver should be logging in
to MAD with sufficient rights to get what it needs. Is that configured
correctly and working?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work


dgersic;238365 Wrote:
> On Wed, 18 Dec 2013 17:44:01 +0000, karimbouami wrote:
>
> > I've successfully deployed and started the active directory driver,
> > however on the publisher channel no events are captured (on the other
> > hand, the suscriber channel works just fine) and there's no

> entitlement
> > implemented.

>
> Driver configuration / authentication. Your driver should be logging in
> to MAD with sufficient rights to get what it needs. Is that configured
> correctly and working?
> --
> --------------------------------------------------------------------------
> David Gersic
> dgersic_@_niu.edu
> Knowledge Partner
> http://forums.netiq.com
>
> Please post questions in the forums. No support provided via
> email.
> If you find this post helpful, please click on the star below.




I'm using an administrator account with full privileges to access the MS
AD. The Suscriber channel works just fine but the Publisher don't catch
any event, be it creation or modification...


--
karimbouami
------------------------------------------------------------------------
karimbouami's Profile: https://forums.netiq.com/member.php?userid=6191
View this thread: https://forums.netiq.com/showthread.php?t=49520

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work

karimbouami wrote:

>
> I'm using an administrator account with full privileges to access the
> MS AD. The Suscriber channel works just fine but the Publisher don't
> catch any event, be it creation or modification...


What kind of admin account? Local administrator on the particular
server or domain administrator?

Did you check the Read and Replicating Directory Change permissions are
granted for the user (or group your user belongs to)?
http://support.microsoft.com/kb/303972


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work


alexmchugh;238385 Wrote:
> karimbouami wrote:
>
> >
> > I'm using an administrator account with full privileges to access the
> > MS AD. The Suscriber channel works just fine but the Publisher don't
> > catch any event, be it creation or modification...

>
> What kind of admin account? Local administrator on the particular
> server or domain administrator?
>
> Did you check the Read and Replicating Directory Change permissions are
> granted for the user (or group your user belongs to)?
> http://support.microsoft.com/kb/303972
>
>
> --
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


It's the domain administrator. Since the account I'm using is the domain
administrator, I don't normally need to check the Read & Replication
change permissions.
I tried however to do as you said but with no result.
What's odd is that the Publisher thread seems unreachable: when I stop
the driver, the Publisher thread didn't terminate normally but timed out
:

[12/19/13 11:26:31.061]:AD_AU ST:Waiting for Publisher thread to
terminate. Maximum wait time is 60 seconds.
[12/19/13 11:27:32.016]:AD_AU ST:Publisher thread did NOT terminate
(timed out).
[12/19/13 11:27:33.011]:AD_AU ST:Driver terminated.
[12/19/13 11:27:33.024]:AD_AU ST:Writing XML attribute
vnd.nds.stream://ALGECO-TREE/system/AlgecoDriverSet/AD_AU#DirXML-PersistentData.


--
karimbouami
------------------------------------------------------------------------
karimbouami's Profile: https://forums.netiq.com/member.php?userid=6191
View this thread: https://forums.netiq.com/showthread.php?t=49520

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work

karimbouami wrote:

>
> It's the domain administrator. Since the account I'm using is the
> domain administrator, I don't normally need to check the Read &
> Replication change permissions.
> I tried however to do as you said but with no result.


Normally a member of domain administrators group should work just fine.
However you should check, these rights might have been messed with at
some point in your domain.

For example, at one customer - they'd accidentally deleted their "IDM
sync user account" and created a new one, but all publisher channel
events weren't working (because they had omitted to configure the
relevant permissions for the recreated user).

> What's odd is that the Publisher thread seems unreachable: when I stop
> the driver, the Publisher thread didn't terminate normally but timed
> out :


Post the entire startup trace (sanitised if necessary). We need to see
how your driver is configured to bind against AD, this is shown during
startup.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work


I added manually the administrator account and given all control on the
User container branch but with no results.
Since the trace is too long to be posted here.
Here's the link to the trace:
http://pastebin.com/YHkjcLnB


--
karimbouami
------------------------------------------------------------------------
karimbouami's Profile: https://forums.netiq.com/member.php?userid=6191
View this thread: https://forums.netiq.com/showthread.php?t=49520

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work

karimbouami wrote:

>
> Here's the link to the trace:
> http://pastebin.com/YHkjcLnB


Just to confirm, the AD driver is configured as a service (this is an
option in the Remote Loader GUI) and it's configured to run as Local
System (BUILTIN\SYSTEM)


Looking at your trace:

> Connect using ldap_bind: user=Administrateur, domain=VLRAD,

password=***, method=negotiate,
server=WIN2008-64-Ad-Vallorec-Audrain.VLRAD.LOC, sign=no, seal=no ssl=no

The last parameter indicates that you don't have a secure channel
enabled between the driver shim and your DC. The secure channel is
required for some operations (password sync is not the biggest item
that requires this. Though I noticed you have disabled that).

There are several ways you can achieve this (The documentation sugests
that you enable SSL, but that is also the most complex approach)

https://www.netiq.com/documentation/idm402drivers/ad/data/bp8clek.html#bpbj7va

Instead of messing about with SSL, I'm pretty sure you can also set
sign and seal to yes in the driver config
(this should work just fine with a member server in the same domain).
It's a quick thing to test anyway.

Finally, the best approach is to install the driver shim on a DC, this
is by far the simplest to configure and support. You don't need to jump
through so many hoops.

Other than this, the trace looks okay.

I still think the problem is rights-related. According to the
documentation, you need those Read and Replicating Directory Change
permissions at the ROOT of the domain, not just on a user container.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work


alexmchugh;238396 Wrote:
> karimbouami wrote:
>
> >
> > Here's the link to the trace:
> > http://pastebin.com/YHkjcLnB

>
> Just to confirm, the AD driver is configured as a service (this is an
> option in the Remote Loader GUI) and it's configured to run as Local
> System (BUILTIN\SYSTEM)
>
>
> Looking at your trace:
>
> > Connect using ldap_bind: user=Administrateur, domain=VLRAD,

> password=***, method=negotiate,
> server=WIN2008-64-Ad-Vallorec-Audrain.VLRAD.LOC, sign=no, seal=no
> ssl=no
>
> The last parameter indicates that you don't have a secure channel
> enabled between the driver shim and your DC. The secure channel is
> required for some operations (password sync is not the biggest item
> that requires this. Though I noticed you have disabled that).
>
> There are several ways you can achieve this (The documentation sugests
> that you enable SSL, but that is also the most complex approach)
>
> http://tinyurl.com/ozn8zpx
>
> Instead of messing about with SSL, I'm pretty sure you can also set
> sign and seal to yes in the driver config
> (this should work just fine with a member server in the same domain).
> It's a quick thing to test anyway.
>
> Finally, the best approach is to install the driver shim on a DC, this
> is by far the simplest to configure and support. You don't need to jump
> through so many hoops.
>
> Other than this, the trace looks okay.
>
> I still think the problem is rights-related. According to the
> documentation, you need those Read and Replicating Directory Change
> permissions at the ROOT of the domain, not just on a user container.
>
> --
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


I'm not using a remote loader since it's company's rule to not have it
on the DC (I agree that the installation with remote loader would have
been much easier), so there's no remote loader since all the components
are on one server Windows 2008 R2 (in the documentaion it's descibed as
"Remote installation on Windows Server only")
Since the driver uses the domain administrator account, normally there
shouldn't be rights problem concerning the read & replication change.
However, I added manually the Administrator account on bith ROOT and the
User container with total control but it didn't change anything.
As for SSL, if it's not working with a clear channel, I don't think that
it would work with SSL...
The problem is that not only Publisher events are not catched even the
heartbeat doesn't appear on the trace...
I tried enbling seal, and sign but it didn't solve anything. As you can
see in the trace, the only thing that remotely seems like an error is
the PassSync failure ( which is decribed as a warning and not a problem
since I disabled it).


--
karimbouami
------------------------------------------------------------------------
karimbouami's Profile: https://forums.netiq.com/member.php?userid=6191
View this thread: https://forums.netiq.com/showthread.php?t=49520

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work

karimbouami wrote:

>
> I'm not using a remote loader since it's company's rule to not have it
> on the DC (I agree that the installation with remote loader would have
> been much easier), so there's no remote loader since all the
> components are on one server Windows 2008 R2 (in the documentaion
> it's descibed as "Remote installation on Windows Server only").


Note I was referring to "driver shim" rather than remote loader. The
driver shim can be hosted by either the engine or a remote loader.

So you can have the AD driver shim running within a remote loader
instance on the same box that has IDM engine/eDirectory.

This is actually a good approach (and is used by the appliance style
products like CloudAccess) as it ensures a misbehaving driver shim
doesn't crash your entire IDM engine.

> Since the driver uses the domain administrator account, normally there
> shouldn't be rights problem concerning the read & replication change.
> However, I added manually the Administrator account on bith ROOT and
> the User container with total control but it didn't change anything.


Personally, I would have granted this as a separate "right" rather than
simply give "full control". Though this should have worked.

> As for SSL, if it's not working with a clear channel, I don't think
> that it would work with SSL...


I can't find anything documentation wise that says you need a secure
channel for the publisher events to start working.

> The problem is that not only Publisher events are not catched even the
> heartbeat doesn't appear on the trace...
> I tried enbling seal, and sign but it didn't solve anything.


Okay, even more ammunition that secure channel is not the problem here.
Lets try something different.

https://www.netiq.com/support/kb/doc.php?id=3254435

After ruling out other factors, I think the above procedure might fix
your problem (it won't make things any worse). Also review the
following TIDs for more details.

https://www.netiq.com/support/kb/doc.php?id=7008183
https://www.netiq.com/support/kb/doc.php?id=10093948





--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work

You have signing, sealing, and SSL all turned off. Fix this:

server=WIN2008-64-Ad-Vallorec-Audrain.VLRAD.LOC, sign=no, seal=no
ssl=no

https://www.netiq.com/documentation/idm402drivers/ad/data/aidzt3c.html

Be sure you follow the steps there about "importing the SSL certificate to
the member server" on the microsoft side of things, if not already done.

While I can never remember exactly, I think the authentication ID, if
specifying the domain, should use a backslash, not a slash. In every
setup I've done I left the domain out and just specified 'Administrator'
on its own, but those were with the RL on the DC itself which also
eliminates the need to setup SSL, signing, or sealing.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver Publisher channel won't work


ab;238397 Wrote:
> You have signing, sealing, and SSL all turned off. Fix this:
>
> server=WIN2008-64-Ad-Vallorec-Audrain.VLRAD.LOC, sign=no, seal=no
> ssl=no
>
> http://tinyurl.com/oscaat3
>
> Be sure you follow the steps there about "importing the SSL certificate
> to
> the member server" on the microsoft side of things, if not already done.
>
> While I can never remember exactly, I think the authentication ID, if
> specifying the domain, should use a backslash, not a slash. In every
> setup I've done I left the domain out and just specified 'Administrator'
> on its own, but those were with the RL on the DC itself which also
> eliminates the need to setup SSL, signing, or sealing.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Is SSL necessary for the publisher channel to work ?


--
karimbouami
------------------------------------------------------------------------
karimbouami's Profile: https://forums.netiq.com/member.php?userid=6191
View this thread: https://forums.netiq.com/showthread.php?t=49520

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.