zelgadis6 Absent Member.
Absent Member.
552 views

IDM sync error 9006

We recently encountered sync errors for our AD driver set in IDM, when checking password status all users have a sync error 9006

Subscriber status log as well has the following message outputted for many users

<status event-id="pwd-subscribe" level="error" type="driver-general">Could not set password via platform call. Err=2245 (password invalid)<operation-data>
<password-subscribe-status>
<association>6ba5f61706e78342b87209529cda5903</association>
</password-subscribe-status>
</operation-data>
<application>DirXML</application>
<module>Active Directory</module>
<object-dn>\NYM\nym\MTA-Users\CPhilip</object-dn>
<component>Subscriber</component>
</status>

I'd greatly like to get feed back on possible root causes as I don't have very much reference or experience with troubleshooting Identity Manager.
Labels (1)
0 Likes
1 Reply
Knowledge Partner
Knowledge Partner

Re: IDM sync error 9006

From the other thread:

The error means that the password you tried to send to
microsoft active directory (MAD) is not one that it (MAD) will accept,
probably because you have complexity rules there which are rejecting the
password. Having mismatched password policies in the vault and an
application is a recipe for this kind of problem so check there first, or
else check with your MAD administrators for why the passwords sent were
invalid (assuming they know how to tell from their logs).

I think you have tried disabling complexity in MAD so NEW password changes
should now go through where before they could not. Since you are new it
may be worth pointing out that Identity Manager (IDM) is event-driven, so
the passwords will not continue retrying indefinitely after an error is
returned from the application, meaning the passwords will not suddenly
become synchronized without some action causing a password change to go
through. Try setting a password on one of these users and see if it will
go through now.

Perhaps even better, try setting a similar password on the user directly
in MAD before you try via IDM. If you can set a password like
'sillypassword' directly via MAD's own tools, preferably as the user
rather than as an admin, then you know your complexity rules are disabled.
If not, then IDM cannot override those rules and you either need to fix
those rules or change the password policy within the Identity Vault
(eDirectory) so that harder-to-remember passwords are required here as
well as there. That goes against best practices, but it is also what
microsoft and others have pushed for decades.

https://xkcd.com/936/

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.