domingogarcia Absent Member.
Absent Member.
945 views

Pass sync does not arrive to eDirectory


Hi all,

I am being fighting with the password synchronization utility and I
run out of ideas. Maybe someone of you has passed through a similar
situation and could help me.

I have an IDM installation 4.0.2 with AD Driver version is 4.0.0.0 on
windows 2012.

Password filter has been installed allowing access to remote registry
as it is explained

http://tinyurl.com/qyty2hz

I am can see the status running on the DC.

According to the documentation the flow from DC to eDirectory follows
these steps

1.- Password is changed in Microsoft Active Directory by some means.
2- Password change is picked up at a domain controller and DirXML
PWFILTER.DLL is notified.
3.- DirXML PWFILTER.DLL places the password change in a new registry
key under HKLM/SOFTWARE/Novell/PwFilter/Data/<username> for that user
example: Password change for BOB1 would be in
HKLM/SOFTWARE/Novell/PwFilter/Data/BOB1.
4 -The DirXML PWFILTER.DLL then sends the password change to the
machine running the remote loader (or driver) (Determined by
HKLM/SOFTWARE/Novell/PwFilter/Host Names:) and the password change is
placed under the KLM/SOFTWARE/Novell/PassSync/Data/<username>/ registry
key on the remote


Everything seems to be ok until the step 4. No matter what the user
keep waiting in the DC registry forever.

Anyone has found a similar situation?

Thanks

Domingo


--
domingogarcia
------------------------------------------------------------------------
domingogarcia's Profile: https://forums.netiq.com/member.php?userid=3154
View this thread: https://forums.netiq.com/showthread.php?t=53782

Labels (1)
0 Likes
14 Replies
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory

On 6/29/2015 7:26 AM, domingogarcia wrote:
>
> Hi all,
>
> I am being fighting with the password synchronization utility and I
> run out of ideas. Maybe someone of you has passed through a similar
> situation and could help me.
>
> I have an IDM installation 4.0.2 with AD Driver version is 4.0.0.0 on
> windows 2012.
>
> Password filter has been installed allowing access to remote registry
> as it is explained
>
> http://tinyurl.com/qyty2hz
>
> I am can see the status running on the DC.
>
> According to the documentation the flow from DC to eDirectory follows
> these steps
>
> 1.- Password is changed in Microsoft Active Directory by some means.
> 2- Password change is picked up at a domain controller and DirXML
> PWFILTER.DLL is notified.
> 3.- DirXML PWFILTER.DLL places the password change in a new registry
> key under HKLM/SOFTWARE/Novell/PwFilter/Data/<username> for that user
> example: Password change for BOB1 would be in
> HKLM/SOFTWARE/Novell/PwFilter/Data/BOB1.
> 4 -The DirXML PWFILTER.DLL then sends the password change to the
> machine running the remote loader (or driver) (Determined by
> HKLM/SOFTWARE/Novell/PwFilter/Host Names:) and the password change is
> placed under the KLM/SOFTWARE/Novell/PassSync/Data/<username>/ registry
> key on the remote
>
>
> Everything seems to be ok until the step 4. No matter what the user
> keep waiting in the DC registry forever.
>
> Anyone has found a similar situation?


By chance do you have more than one AD Remote Loader running on the same
server?

The RPC server that gets the responses back fromthe PWfilters, that runs
as part of the RL only worksif it is the first AD remote loader on that
box.



0 Likes
jimbjorklund Absent Member.
Absent Member.

Re: Pass sync does not arrive to eDirectory


Hi, geoffc, I saw your post on the first part on a new guide on the AD
Password troubleshooter tool on Cool Solutions:
http://tinyurl.com/npnwy8y.
Is there by any chance a part two on the way any time soon?


--
jimbjorklund
------------------------------------------------------------------------
jimbjorklund's Profile: https://forums.netiq.com/member.php?userid=1292
View this thread: https://forums.netiq.com/showthread.php?t=53782

0 Likes
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory

On 8/7/2015 7:46 AM, jimbjorklund wrote:
>
> Hi, geoffc, I saw your post on the first part on a new guide on the AD
> Password troubleshooter tool on Cool Solutions:
> http://tinyurl.com/npnwy8y.
> Is there by any chance a part two on the way any time soon?


Yes. written and submitted, expect it next week.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory

Post a level five (5) trace from the Remote Loader (RL) side. After
setting that up, restart the RL so that, after a minute or so, the startup
trace is also included, which can have some good initially-connection
information. Post the trace for us to see and that may help.

Note: If you have multiple drivers (shims) on a single DC pointing to the
same domain (it's very rare, but happens) then there are known issues with
that; the most-common reason to do this is to have one driver config for
regular user synchronization, and another specifically dedicated to
password-related events, both to the same single domain. Avoid if
possible, as it's a bit tricky. If you are doing this, start the RL
instance for the driver that handles password-related stuff first.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
jimbjorklund Absent Member.
Absent Member.

Re: Pass sync does not arrive to eDirectory


Hi, it seems I have the exact same problem or at least a very similar
problem. No matter what I try the Remote Loader won’t pick up the
password change and forward it to the driver (if I’m understanding the
problem correctly).

I have the following setup:
- IDM 4.0.2 (patch7)
- AD Driver 4.0.0.3 (updated filter related files replaced on all domain
controllers according to the official documentation)
- Domain controllers are all running Windows Server 2012 (not R2)
64-bit

I have 3 domain controllers, all with the AD-driver installed and
password filters set up to forward events to the domain controller
running the remote loader
For troubleshooting I have used the “PassSync Troubleshooting Tool”
which can be found in the IDM 4.5 media. According to this tool
everything seems to be set up correctly (as far as I can tell).
This page was also helpful: http://tinyurl.com/oyewnzy).

I have tried doing the following on all the domain-controllers:
- Temporarily disabling firewall
- Modifying registry permission to allow full permission to
HKLM/SOFTWARE/Novell/PassSync/Data/ for the user that the driver uses
for authentication (in my case the domain administrator since it’s a
test environment).

I have tried changing the driver Access Options parameters (Password
Sync Timeout etc.) and using different formats for the Application
Authentication Id (user@domain, domain\user, user) which some have
suggested. I’ve also made sure there in only one driver instance on the
Remote Loader computer.

I can see new keys being created in the registry on the Remote Loader
machine under HKLM/SOFTWARE/Novell/PassSync/Data/ when I change the
password for a user. *The remote loader however seems to conclude that
no password has been updated and thus, does not forward any event to the
driver if I’m understanding the trace correctly.*Here is the level 5
trace from the remote loader on a password change event (when a password
is changed for a user in AD), the domain name has been replaced with
xxxxx.xx:
DirXML: [08/07/15 10:36:33.68]: ADDriver: Publisher Poll
DirXML: [08/07/15 10:36:33.68]: ADDriver: get object changes - 0x0000
DirXML: [08/07/15 10:36:33.68]: ADDriver: object changes complete
DirXML: [08/07/15 10:37:33.67]: ADDriver: Publisher Poll
DirXML: [08/07/15 10:37:33.67]: ADDriver: get object changes - 0x0000
DirXML: [08/07/15 10:37:33.67]: ADDriver: object changes complete
DirXML: [08/07/15 10:38:33.67]: ADDriver: Publisher Poll
DirXML: [08/07/15 10:38:33.67]: ADDriver: get object changes - 0x0000
DirXML: [08/07/15 10:38:33.67]: ADDriver: process object change entry
DirXML: [08/07/15 10:38:33.67]: ADDriver: Processing change from AD:
isDeleted: NULL, whenCreated NULL, name NULL
DirXML: [08/07/15 10:38:33.67]: ADDriver: Publisher MODIFY
DirXML: [08/07/15 10:38:33.67]: ADDriver: Publisher Modify-
effectiveClassQuery
dn=CN=OKPass,OU=Students,OU=Xxxxx-users,DC=xxxxx,DC=xx className=user
DirXML: [08/07/15 10:38:33.67]: ADDriver: accountExpires
DirXML: [08/07/15 10:38:33.67]: ADDriver: sAMAccountName
DirXML: [08/07/15 10:38:33.67]: ADDriver: sn
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD]
PasswordSync::getUserData()
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD]
PasswordSync::getUserData().... checking that RPC Server is listening
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD]
PasswordSync::getUserData().... checking that RPC Server is listening
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312]
PassSyncCache::GetPwdInfoByUser()
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312]
PassSyncCache::GetPwdInfoByUser() Looking for specific Username[OKPass]
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfoByUser() -
open the cache. Key = SOFTWARE\Novell\PassSync\Data\XXXXX.XX
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfoByUser() -
acquire the mutex.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfoByUser() -
mutex acquired.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfoByUser() -
get number of registry keys.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfoByUser() -
dwSubKeys[0] dwPrefMaxEntries[1] *lpdwResumeHandle[0]
lpszUserName[OKPass].
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfoByUser() -
release the mutex.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfoByUser() -
mutex released.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfoByUser() -
close the cache.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312]
PassSyncCache::GetPwdInfoByUser() returned 0x00000000
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD]
PasswordSync::getUserData() returned 0x00000000
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312]
PassSyncCache::FreeSyncData()
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312]
PassSyncCache::FreeSyncData() returned.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD]
PasswordSync::DataEnum()
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD]
PasswordSync::DataEnum().... checking that RPC Server is listening
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD]
PasswordSync::DataEnum().... checking that RPC Server is listening
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312]
PassSyncCache::GetPwdInfo()
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312]
PassSyncCache::GetPwdInfo() Looking for specific Username[(null)]
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfo() - open
the cache. Key = SOFTWARE\Novell\PassSync\Data\XXXXX.XX
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfo() -
acquire the mutex.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfo() - mutex
acquired.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfo() - get
number of registry keys.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfo() -
dwSubKeys[0] dwPrefMaxEntries[-2] *lpdwResumeHandle[0]
lpszUserName[(null)].
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfo() - Query
only returned 0.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfo() -
release the mutex.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD 312] GetPwdInfo() - mutex
released.
DirXML: [08/07/15 10:38:33.67]: ADDriver: [PWD] PasswordSync::DataEnum()
returned 0x00000000
DirXML: [08/07/15 10:38:33.67]: Loader: Received document from
publicationShim
DirXML: [08/07/15 10:38:33.67]: Loader: XML Document:
DirXML: [08/07/15 10:38:33.67]: <nds dtdversion="2.2">
<source>
<product version="4.0.2.6">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<init-params>
<publisher-state>
<cookie>TVNEUwMAAACfWTUQ5NDQAQAAAAAAAAAAWAAAAIvCHgAAAAAAAAAAAAAAAACLwh4AAAAAALzFxr10MUJGliE+BB0Rr4QBAAAAAAAAAAMAAAAAAAAA6E43A0X6fki9HrTr0jAjBUGCHQAAAAAAgMt1llWBaEWppv6azZr+ZLhBEwAAAAAAvMXGvXQxQkaWIT4EHRGvhJvCHgAAAAAA</cookie>
</publisher-state>
</init-params>
</input>
</nds>
DirXML: [08/07/15 10:38:33.67]: Loader: Writing driver state to file
DirXML: [08/07/15 10:38:33.67]: Loader: Document consists only of state;
not sending to remote side
DirXML: [08/07/15 10:38:33.67]: Loader: Returning to publisher:
DirXML: [08/07/15 10:38:33.67]: Loader: XML Document:
DirXML: [08/07/15 10:38:33.67]: <nds ndsversion="8.6" dtdversion="1.0">
<output>
<status level="success"/>
</output>
</nds>


Any ideas?


--
jimbjorklund
------------------------------------------------------------------------
jimbjorklund's Profile: https://forums.netiq.com/member.php?userid=1292
View this thread: https://forums.netiq.com/showthread.php?t=53782

0 Likes
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory


This is tricky, I believe lpszUserName[(null)] is one hint, there
should be a username there. Not null.
To me It looks like a rights issue but you seem to have tried most
things.
I would start over and reinstall the remote loader, make sure to do all
installations and statign of programs with right click and "run as
administrator" even if you are logged in as administrator. Unfortunately
being logged in as administrator and doing "run as Administrator" is not
the same.

Best Luck
Joakim


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=53782

0 Likes
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory

On 8/7/2015 8:28 AM, joakim ganse wrote:
>
> This is tricky, I believe lpszUserName[(null)] is one hint, there
> should be a username there. Not null.
> To me It looks like a rights issue but you seem to have tried most
> things.
> I would start over and reinstall the remote loader, make sure to do all
> installations and statign of programs with right click and "run as
> administrator" even if you are logged in as administrator. Unfortunately
> being logged in as administrator and doing "run as Administrator" is not
> the same.


Have you seen any value in the UAC stuff, which is what causes/enforces
this?


0 Likes
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory


No, my only source of information is my constant failure or any
successful installation if I don't use run as administrator. Nowadays
it just goes automatically.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=53782

0 Likes
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory

On 8/7/2015 10:05 AM, joakim ganse wrote:
>
> No, my only source of information is my constant failure or any
> successful installation if I don't use run as administrator. Nowadays
> it just goes automatically.


What I was trying to ask (poorly) was if you had seen any real benefit
from UAC.

I do not, and see only pain.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory

Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:

> Have you seen any value in the UAC stuff, which is what causes/enforces this?


I have seen value in UAC.
It can be a useful tool to help make old/misbehaving apps work better with
modern windows.

It is far more than just the annoying prompt which pops up far too often.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Pass sync does not arrive to eDirectory

On 8/7/2015 10:07 AM, Alex McHugh wrote:
> Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
>
>> Have you seen any value in the UAC stuff, which is what causes/enforces this?

>
> I have seen value in UAC.
> It can be a useful tool to help make old/misbehaving apps work better with
> modern windows.
>
> It is far more than just the annoying prompt which pops up far too often.


Can you elaborate?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.