Highlighted
Honored Contributor.
Honored Contributor.
467 views

AD password changes not reaching ID vault

Jump to solution

I have IDM version 4.6.4 running on RHEL 7.  Just recently, the password sync from AD to the ID vault stopped working. If the password is changed in AD, even while connected to the remote loader server, IDM doesn't even register there was an event.  Password sync from the vault to AD works fine. 

Here is the output from the PassSync Troubleshooting Tool. Suggestions welcome. 

Fri Aug 21 10:24:24 2020 : Starting Checks on Driver Machine .....

Fri Aug 21 10:24:29 2020: Logging as idmadmin user.

Fri Aug 21 10:24:29 2020 :
The List of all Domain Controllers -
1. DC-VP08.OSUMC.EDU
2. DC-P01.OSUMC.EDU
3. DC-VP02.OSUMC.EDU
4. DC-VP03.OSUMC.EDU
5. DC-VP04.OSUMC.EDU
6. DC-VP05.OSUMC.EDU
7. DC-VP06.OSUMC.EDU
8. DC-VP07.OSUMC.EDU

Fri Aug 21 10:24:29 2020 : RPC Service is running
Fri Aug 21 10:24:29 2020 : Full DNS name of the driver machine is DC-VP08.OSUMC.EDU

Fri Aug 21 10:24:29 2020 : The version of the Operating System is : Microsoft (build 9200)
Fri Aug 21 10:24:29 2020 : An AD driver instance is found configured on Remote Loader
Fri Aug 21 10:24:29 2020 : AD Driver which is configured with Connection port 8090 and Command port 8000 is running

Fri Aug 21 10:24:29 2020 : List of local files related to Driver are :
F:\NetIQ\RemoteLoader\ADDriver.dll
F:\NetIQ\RemoteLoader\IDMADRemoteLoader2-Config.txt
F:\NetIQ\RemoteLoader\IDM ADRemoteLoaderTrace.log
Fri Aug 21 10:24:31 2020 : Driver version is "4.1.2.0">AD</product> and Build ID is oduct>
Fri Aug 21 10:24:31 2020 : The 'Driver Machine' value in the registry key[SOFTWARE\NOVELL\PASSSYNC] is : 1.

Fri Aug 21 10:24:31 2020 : The 'Domains' value in registry key[SOFTWARE\NOVELL\PASSSYNC\DATA] is OSUMC.EDU

Fri Aug 21 10:24:31 2020 : Number of subkeys(passwords cached) under the key[SOFTWARE\NOVELL\PASSSYNC\DATA\OSUMC.EDU]is 8269


Fri Aug 21 10:24:32 2020 : Tests on this driver machine are done

Press any key to close this trace ...

Fri Aug 21 10:24:52 2020 : Starting Checks on All DCs .....

 

Fri Aug 21 10:24:52 2020 : Starting Checks on All DCs .....

Fri Aug 21 10:24:52 2020: Logging as idmadmin user.

Fri Aug 21 10:24:52 2020 :
The List of all Domain Controllers -
1. DC-VP08.OSUMC.EDU
2. DC-P01.OSUMC.EDU
3. DC-VP02.OSUMC.EDU
4. DC-VP03.OSUMC.EDU
5. DC-VP04.OSUMC.EDU
6. DC-VP05.OSUMC.EDU
7. DC-VP06.OSUMC.EDU
8. DC-VP07.OSUMC.EDU

Fri Aug 21 10:24:52 2020 : Checking the Domain Controller DC-VP08.OSUMC.EDU ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

The value of 'Host Names' '[DC-VP08.OSUMC.EDU]' in DC[DC-VP08.OSUMC.EDU] is same as the name of driver machine[DC-VP08.OSUMC.EDU]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].

The password was last updated for user abba13 on 11/8/2020 at 18 hrs and 46 mins
<omitted 1910 entries like this>

No more items to process Currently
.
Number of Entries Processed is 1911

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine - 0

Fri Aug 21 10:25:03 2020 : Checking the Domain Controller DC-P01.OSUMC.EDU ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

The value of 'Host Names' '[DC-VP08.OSUMC.EDU]' in DC[DC-P01.OSUMC.EDU] is same as the name of driver machine[DC-VP08.OSUMC.EDU]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].

The password was last updated for user HealthMailbox02ac066 on 17/8/2020 at 8 hrs and 50 mins
<83 more entries like this>

No more items to process Currently
.
Number of Entries Processed is 84

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine - 0

Fri Aug 21 10:25:04 2020 : Checking the Domain Controller DC-VP02.OSUMC.EDU ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

The value of 'Host Names' '[DC-VP08.OSUMC.EDU]' in DC[DC-VP02.OSUMC.EDU] is same as the name of driver machine[DC-VP08.OSUMC.EDU]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].

The password was last updated for user cvel01s on 10/8/2020 at 16 hrs and 5 mins
<86 more entries like this>

No more items to process Currently
.
Number of Entries Processed is 87

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine - 0

Fri Aug 21 10:25:05 2020 : Checking the Domain Controller DC-VP03.OSUMC.EDU ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

The value of 'Host Names' '[DC-VP08.OSUMC.EDU]' in DC[DC-VP03.OSUMC.EDU] is same as the name of driver machine[DC-VP08.OSUMC.EDU]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].

The password was last updated for user HealthMailbox0494b12 on 11/8/2020 at 8 hrs and 41 mins

<80 more entries like this>
No more items to process Currently

.
Number of Entries Processed is 81

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine - 0

Fri Aug 21 10:25:07 2020 : Checking the Domain Controller DC-VP04.OSUMC.EDU ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

The value of 'Host Names' '[DC-VP08.OSUMC.EDU]' in DC[DC-VP04.OSUMC.EDU] is same as the name of driver machine[DC-VP08.OSUMC.EDU]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].

The password was last updated for user AL_CGQTRD2_OSUP on 30/7/2020 at 17 hrs and 49 mins
<134 more entries like this>
No more items to process Currently
.
Number of Entries Processed is 135

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine - 0

Fri Aug 21 10:25:09 2020 : Checking the Domain Controller DC-VP05.OSUMC.EDU ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

The value of 'Host Names' '[DC-VP08.OSUMC.EDU]' in DC[DC-VP05.OSUMC.EDU] is same as the name of driver machine[DC-VP08.OSUMC.EDU]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].

The password was last updated for user bush18 on 6/8/2020 at 12 hrs and 15 mins
<77 more entries like this>
No more items to process Currently
.
Number of Entries Processed is 78

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine - 0

Fri Aug 21 10:25:09 2020 : Checking the Domain Controller DC-VP06.OSUMC.EDU ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

The value of 'Host Names' '[DC-VP08.OSUMC.EDU]' in DC[DC-VP06.OSUMC.EDU] is same as the name of driver machine[DC-VP08.OSUMC.EDU]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].

The password was last updated for user HealthMailbox08e5d60 on 17/8/2020 at 8 hrs and 52 mins
<88 more entries like this>
No more items to process Currently
.
Number of Entries Processed is 89

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine - 0

Fri Aug 21 10:25:10 2020 : Checking the Domain Controller DC-VP07.OSUMC.EDU ....

Running Basic Diagnostic Checks.

Password filter files installed on this DC are C:\Windows\System32\PWFILTER.DLL and C:\Windows\System32\PSEVENT.DLL

The value of 'Host Names' '[DC-VP08.OSUMC.EDU]' in DC[DC-VP07.OSUMC.EDU] is same as the name of driver machine[DC-VP08.OSUMC.EDU]

Opened key [SOFTWARE\NOVELL\PWFILTER\DATA].

The password was last updated for user CONK20S on 29/7/2020 at 8 hrs and 12 mins
<80 more entries like this>
No more items to process Currently
.
Number of Entries Processed is 81

Running RPC Checks.

Checking whether this tool can reach the filter through RPC
This tool can reach the filter through RPC

Checking if the filter can connect to the driver
pwFilter can connect to PassSync RPC server on driver machine - 0

Fri Aug 21 10:25:11 2020 : Tests on all DCs are done

Press any key to close this trace ...

 

 

Labels (1)
Tags (2)
1 Solution

Accepted Solutions
Highlighted
Honored Contributor.
Honored Contributor.
It appears to have fixed the issue in test. I'll know by this time tomorrow whether it fixes it in production.

Thanks

View solution in original post

8 Replies
Highlighted
Knowledge Partner
Knowledge Partner

1. What Windows versions you have?

2. Do you have any "new" AD domain controllers installed? Changes in Forest level, etc?

3. Do you have IDM password filter installed on ALL your DCs?

4. Do you have any other (third-party) passwords filters installed on your DCs? (for example Azure AD Password Protection)

 

Highlighted
Knowledge Partner
Knowledge Partner

Important fix for AD driver released at 2020-05-05
https://download.microfocus.com/Download?buildid=ubN5g8bHkYU~

This driver compatible with IDM 4.6


Overview
This patch is applicable for Active Directory drivers running on Identity Manager 4.6.x or Identity Manager 4.7.x. The driver version will be changed to 4.1.2.1 after the HF is applied.

Supported Platforms
Windows Server 2019 (64 bit)
Windows Server 2016 (64 bit)
Windows Server 2012 (64 bit)
Windows Server 2012 R2 (64 bit)
Windows Server 2008 R2 (64-bit)
System Requirements
Identity Manager 4.7 or later
Or
Identity Manager 4.6 or later
Microsoft Visual C++ 2017 Redistributable Packages (vcredist_x64-2017 and vcredist_x86-2017) for Identity Manager Password Synchronization utility

This (and previous fix) included a number of fixes related to password synchronization.

Issues Fixed in This Release
Bug 1149517 - Pwfilter.dll needs to be signed in order for the policy RunAsPPL to be supported
Issues Fixed in Previous Releases
Issues Fixed in Driver Version 4.1.1.0
Bug 731112 - Active Directory driver should forward password synchronization metadata

Highlighted
Honored Contributor.
Honored Contributor.
That's worth a look. Thanks.
Highlighted
Honored Contributor.
Honored Contributor.
1. Windows Server 2016 Standard
2. No new DCs, no *known* changes to the forest level (I don't manage AD, but usually a change of this magnitude in our environment would be communicated widely)
3. Yes
4. Not that I know of

Highlighted
Knowledge Partner
Knowledge Partner

I can recommend to try the latest AD patch and you have a chance, that your issue will "magically" disappear... 🙂

Highlighted
Honored Contributor.
Honored Contributor.
It appears to have fixed the issue in test. I'll know by this time tomorrow whether it fixes it in production.

Thanks

View solution in original post

Highlighted
Honored Contributor.
Honored Contributor.
IDM 4.8 and AD driver 4.1.2.1 resolved the issue.
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.
I didn't really mean to flag my own post as a solution, but now I don't see how to undo it. Let the [unofficial] record show that al_b gets the credit.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.