Highlighted
Absent Member.
Absent Member.
1192 views

AzureAD fatal error during startup (StatusException)

Hi!

I have AzureAD driver on windows 4.6.0 IDM engine (not remote loader, unfortunately).
When I try to start driver, I'm getting error "Caught exception during REST Channels initialization" (com.novell.nds.dirxml.driver.azure.StatusException) and driver stops.
Same error happens during subscriber and published channel initialization, both after calling RESTSubscriptionShim.init().

Same result with Azure AD version 5.0.1.1 and 5.0.1.2.
I've also tried to upgrade REST driver to 1.0.0.2, but no luck

Unfortunately I cannot patch IDM to 4.6.1 or 4.6.2.

Any idea what is wrong?

Thanks, S.

Subscriber channel initialization trace level 5:

[02/24/18 15:16:00.711]:Azure AD Hybrid :Creating subscriber thread.
[02/24/18 15:16:00.711]:Azure AD Hybrid ST:Subscriber thread starting.
[02/24/18 15:16:00.727]:Azure AD Hybrid ST:Initializing driver shim.
[02/24/18 15:16:00.727]:Azure AD Hybrid ST:Reading XML attribute vnd.nds.stream://TRR/system/driverset1/Azure+AD+Hybrid#DirXML-ConfigManifest.
[02/24/18 15:16:00.727]:Azure AD Hybrid ST:Loading Java shim com.novell.nds.dirxml.driver.azure.AZDriverShim.
[02/24/18 15:16:00.727]:Azure AD Hybrid ST:Calling DriverShim.getSchema().
[02/24/18 15:16:00.727]:Azure AD Hybrid ST:Reading XML attribute vnd.nds.stream://TRR/system/driverset1/Azure+AD+Hybrid#DirXML-ShimConfigInfo.
[02/24/18 15:16:00.727]:Azure AD Hybrid ST:Substituting password value for reference to named password 'user-clientsecret'.
[02/24/18 15:16:00.727]:Azure AD Hybrid ST:Substituting password value for reference to named password 'proxyPassword'.
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Substituting password value for reference to named password 'database-password'.
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<init-params src-dn="\TRR\system\driverset1\Azure AD Hybrid">
<authentication-info>
<user>user@client.onmicrosoft.com</user>
<password><!-- content suppressed --></password>
</authentication-info>
<driver-options>
<user-clientid display-name="Client ID">cd35ebfe-5d6a-48d4-8137-79f5d1f4db3e</user-clientid>
<user-clientsecret display-name="Client Secret" is-sensitive="true" type="password-ref"><!-- content suppressed --></user-clientsecret>
<coexistence-mode display-name="Enable Hybrid Operation Mode">true</coexistence-mode>
<activate-roles display-name="Activate Azure Directory Roles">false</activate-roles>
<ignore1 display-name="Show Schema Extensions configuration">hide</ignore1>
<schema-extension-removeExisting display-name="Existing Schema Extensions">false</schema-extension-removeExisting>
</driver-options>
<subscriber-options>
<domain-name display-name="Domain Name">client.onmicrosoft.com</domain-name>
<subTrustStoreFile display-name="Truststore file">E:\NetIQ\IdentityManager\keystore.jks</subTrustStoreFile>
<proxy display-name="Proxy host and port"></proxy>
<proxyFields display-name="Set proxy authentication parameters">show</proxyFields>
<proxyUserName display-name="User name"></proxyUserName>
<proxyPassword display-name="Password" is-sensitive="true" type="password-ref"><!-- content suppressed --></proxyPassword>
<exchangeSetting display-name="Exchange and Powershell Service">true</exchangeSetting>
<exchangeServiceUrl display-name="Exchange Service URL">https://127.0.0.1:2313/ExchServer</exchangeServiceUrl>
<refresh-Deleted-Users display-name="Refresh Deleted User cache">false</refresh-Deleted-Users>
<enableExchangeOnline display-name="Office 365 Exchange Online">true</enableExchangeOnline>
<exchangeBG display-name="Queue Operations">false</exchangeBG>
<pageSize display-name="Page Size">50</pageSize>
<exchangeTraceLocation display-name="Trace Location">E:\NetIQ\ExchangeServerHost\Trace</exchangeTraceLocation>
<exchangeLogLevel display-name="Trace Level">3</exchangeLogLevel>
<exchangeLogSize display-name="Trace file size limit">10</exchangeLogSize>
<database-password display-name="Database Password" is-sensitive="true" type="password-ref"><!-- content suppressed --></database-password>
</subscriber-options>
<publisher-options>
<allow-publisher display-name="Enable Publisher">true</allow-publisher>
<polling-interval display-name="Publisher Polling interval">5</polling-interval>
<heartbeat-interval display-name="Heart Beat interval">1</heartbeat-interval>
<shim-auth-server display-name="Authentication Context"></shim-auth-server>
</publisher-options>
</init-params>
</input>
</nds>
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid: Connecting to Azure.
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:DriverParams: Encryption/Sensitive attributes list:
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:DriverParams: {user=[passwordProfile, password, dbpassword, Password]}
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Starting DriverInterface shim 'Azure AD Hybrid_Azure'.
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Recieved driver-init configuration document
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: RESTDriver.init()
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Put shimParams in ThreadGroupLocal
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Called default constructor for RESTSubscriptionShim
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: getSubscriptionShim
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Called default constructor for RESTPublicationShim
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: setting up status document
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Driver has loaded: com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Graph Extension initiliazed.
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Driver has initialized: com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: extensions = yes
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Returning the success document and leaving init
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Received response is :
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product build="20180112_0452" instance="Azure AD Hybrid_Azure" version="1.0.0.2">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general"/>
</output>
</nds>
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Starting SubscriptionShim
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: Received subscriber-init document
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: getSubscriptionShim
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid_Azure: RESTSubscriptionShim.init()
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:Azure AD Hybrid: Caught exception during REST Channels initialization.
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:DriverShim.getSchema() returned:
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product build="20171120_1044" instance="Azure AD Hybrid" version="5.0.1.2">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="fatal" type="com.novell.nds.dirxml.driver.azure.StatusException"/>
</output>
</nds>
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:
DirXML Log Event -------------------
Driver: \TRR\system\driverset1\Azure AD Hybrid
Status: Fatal
[02/24/18 15:16:00.743]:Azure AD Hybrid ST:
DirXML Log Event -------------------
Driver: \TRR\system\driverset1\Azure AD Hybrid
Status: Warning
Message: Code(-8001) Unable to retrieve application schema.


Publisher channel initialization trace level 5:

[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Initializing publisher shim.
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<init-params src-dn="\TRR\system\driverset1\Azure AD Hybrid">
<authentication-info>
<user>user@client.onmicrosoft.com</user>
<password><!-- content suppressed --></password>
</authentication-info>
<driver-filter>
<allow-class class-name="Group">
<allow-attr attr-name="displayName"/>
<allow-attr attr-name="description"/>
<allow-attr attr-name="Type"/>
<allow-attr attr-name="members"/>
<allow-attr attr-name="owners"/>
</allow-class>
<allow-class class-name="User">
<allow-attr attr-name="usageLocation"/>
<allow-attr attr-name="city"/>
<allow-attr attr-name="userPrincipalName"/>
<allow-attr attr-name="country"/>
<allow-attr attr-name="companyName"/>
<allow-attr attr-name="directReports"/>
<allow-attr attr-name="ArchiveStatus"/>
<allow-attr attr-name="ServerLegacyDN"/>
<allow-attr attr-name="LitigationHoldEnabled"/>
<allow-attr attr-name="Type"/>
<allow-attr attr-name="facsimileTelephoneNumber"/>
<allow-attr attr-name="displayName"/>
<allow-attr attr-name="givenName"/>
<allow-attr attr-name="otherMails"/>
<allow-attr attr-name="thumbnailPhoto"/>
<allow-attr attr-name="Login Disabled"/>
<allow-attr attr-name="manager"/>
<allow-attr attr-name="mobile"/>
<allow-attr attr-name="department"/>
<allow-attr attr-name="physicalDeliveryOfficeName"/>
<allow-attr attr-name="postalCode"/>
<allow-attr attr-name="preferredLanguage"/>
<allow-attr attr-name="mailNickname"/>
<allow-attr attr-name="state"/>
<allow-attr attr-name="streetAddress"/>
<allow-attr attr-name="surname"/>
<allow-attr attr-name="telephoneNumber"/>
<allow-attr attr-name="jobTitle"/>
</allow-class>
</driver-filter>
<publisher-options>
<allow-publisher display-name="Enable Publisher">true</allow-publisher>
<polling-interval display-name="Publisher Polling interval">5</polling-interval>
<heartbeat-interval display-name="Heart Beat interval">1</heartbeat-interval>
<shim-auth-server display-name="Authentication Context"></shim-auth-server>
</publisher-options>
</init-params>
</input>
</nds>
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid: AZPublisher.init()
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid: Connecting to Azure.
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:DriverParams: Encryption/Sensitive attributes list:
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:DriverParams: {user=[passwordProfile, password, dbpassword, Password], group=[]}
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Starting DriverInterface shim 'Azure AD Hybrid_Azure'.
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Recieved driver-init configuration document
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: RESTDriver.init()
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Put shimParams in ThreadGroupLocal
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Called default constructor for RESTSubscriptionShim
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: getSubscriptionShim
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Called default constructor for RESTPublicationShim
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: setting up status document
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Driver has loaded: com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Graph Extension initiliazed.
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Driver has initialized: com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: extensions = yes
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Returning the success document and leaving init
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Received response is :
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product build="20180112_0452" instance="Azure AD Hybrid_Azure" version="1.0.0.2">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general"/>
</output>
</nds>
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Starting SubscriptionShim
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: Received subscriber-init document
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: getSubscriptionShim
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid_Azure: RESTSubscriptionShim.init()
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:Azure AD Hybrid: Caught exception during REST Channels initialization.
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:PublicationShim.init() returned:
[02/24/18 15:16:01.008]:Azure AD Hybrid PT:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product build="20171120_1044" instance="Azure AD Hybrid" version="5.0.1.2">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="fatal" type="com.novell.nds.dirxml.driver.azure.StatusException"/>
</output>
</nds>
Labels (1)
0 Likes
4 Replies
Highlighted
Absent Member.
Absent Member.

Re: AzureAD fatal error during startup (StatusException)

Hm, at the end, problem was with authentication password (ShimAuthPassword).

Password had two characters, which caused problem: & and <
After those two characters were removed from password, driver started as it should.

I don't know if this is bug or it is written somewhere in documentation, but since ShimAuthPassword is not stored as plain text in XML I think those characters should not cause such problems...

//s
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: AzureAD fatal error during startup (StatusException)

On 2/26/2018 12:54 PM, sebastijan wrote:
>
> Hm, at the end, problem was with authentication password
> (ShimAuthPassword).
>
> Password had two characters, which caused problem: & and <
> After those two characters were removed from password, driver started as
> it should.
>
> I don't know if this is bug or it is written somewhere in documentation,
> but since ShimAuthPassword is not stored as plain text in XML I think
> those characters should not cause such problems...


Worth reporting as a bug! Aaron, perhaps you can?

The reason is less so the storage (agreed, encrypted password store) but
more the transport. At some point, the password has to be passed to the
remote loader. It would be at that point , and then how the Shim uses
it, that would likely isolate the problem.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: AzureAD fatal error during startup (StatusException)

On 2/26/2018 12:54 PM, sebastijan wrote:
>
> Hm, at the end, problem was with authentication password
> (ShimAuthPassword).
>
> Password had two characters, which caused problem: & and <
> After those two characters were removed from password, driver started as
> it should.
>
> I don't know if this is bug or it is written somewhere in documentation,
> but since ShimAuthPassword is not stored as plain text in XML I think
> those characters should not cause such problems...


Passed it on to Support and they are having someone in QA look at it...
Good catch, hope this helps get it fixed.


0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: AzureAD fatal error during startup (StatusException)

Any word on this, maybe a bug number? If not, I'm going to report one shortly. I hit this today (IDM 4.7 SP1, new Azure driver) and fixed it by replacing the '&' in the authentication user's password with (you guessed it) & which then let the authentication work nicely. I'm worried that once this is fixed in code it may cause the authentication to start failing, but until then having this error out without any decent tracing ("Hey you, wrong password") is pretty frustrating.

ab
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.