Article ID: 119341, created on Dec 26, 2013, last review on Mar 12, 2016

  • Applies to:
  • Operations Automation

POA Customer Directory Integration known issues

Common issues

  1. Agent Node temporary failure

    Synchronization Agent will perform synchronization after the Agent Node is up again. Password changes performed while Password Synchronization Agent was down will be lost; in such cases, Customer Administrator would need to ask the users who cannot log in to POA due to the out-of-sync passwords to change their passwords once again after re-activating the Synchronization Agent Node.

  2. Synchronization Caching Database (Data\ADSyncCache.sdf) corruption

    If the database backup exists, the administrator needs to restore the database and continue the synchronization.

    If there is no backup, the administrator needs to perform the following steps:

    1. Remove the cache file **Data\ADSyncCache.sdf**.
    2. Run the `CDI Tool Installer` in recovery mode.
    3. Restore the connection to the CDI Module.
    

Note: Password changes that were in the queue at the moment of database corruption will be lost.

Specific issues

  1. Symptoms: The Unknown Error or Unspecified Error messages appear when Password Filter interacts with Password Agent. This error message appears in the Event Log of the Parallels AD Password Change Filter component.

    Reason: Password Agent cannot save the password it caught.

    Resolution: Check the Event Log on the host where Password Agent is running. Typically, the error occurs because of missing synchronization database or when there is no access to necessary files.

  2. Symptoms: When running the ADSync.exe utility in the run mode, error messages appear about an invalid certificate. Similar messages are present in the Application Event Log of the AD Password Synchronization Agent component during its startup.

    Resolution: Check the SSL connectivity with the CDI Web service in a browser. It should be using a valid, not expired, certificate from a trusted Certification Authority.

    Note: Self-signed SSL certificates are not supported in the production environment!

  3. Symptoms: When running the ADSync.exe utility in the run mode, the following error is shown:

    Error. Server was unable to process request---> Keyset does not exist
    

    Reason 1: The certificate used for password encryption was replaced in the CDI Web service and now CDI Web service does not have access to the new certificate's private key.

    Resolution: Use the CDICertUtil utility from the POA distributive for certificate installation and configuration.

    Reason 2: The NetworkService account is not set for CDI Web Service Application Pool.

    Resolution:

    • Log in to the CDI Web Service host.
    • Open IIS Manager and find the Application Pool for the site where the AD Synchronization Web Service is running.
    • Click on the Advanced Settings link of the found Application Pool.
    • Under the Process Model section, find the Identity value.
    • Make sure that the NetworkService account is used here (otherwise, you will get the Keyset does not exist error).
    • To fix the problem, you can either create a new Application Pool of the CDI site with the NetworkService account set as the Identity of this AppPool, or change the Identity for the existing Application Pool.
  4. Symptoms: Interface is not registered or Co-class is not registered errors appear.

    Reason: The problem is caused by the objects' registration with Password Agent or Filter (wrong CDI Agent hostname).

    Resolution: Restart CDI Synchronization Agent and re-install Password Filter.

  5. Symptoms: Password Filter connects to Password Agent and gets the Access Denied error. In the Application Event Log for the Parallels AD Password Change Filter component, one of the following events appears:

    Error in reporting thread: Access denied [Connect to 'XXX' server] (Error code: 0x80070005)
    
    Error in reporting thread: Access denied [Send password to synchronization service] (Error code: 0x80070005)
    

    Reason 1: The hostname is incorrect or the default SPN of the host is not registered.

    Resolution: If there is a WARNING Password synchronization operation fails with the "Access Denied" error, from the Parallels AD Password Change Filter component, then check the Synchronization Service's Principal Name.

    To check/set the hostname: Open the HKLM\SOFTWARE\Parallels\CDI\PasswordFilter\syncServer registry key; you should see the NetBIOS name or localhost if the Password Agent is running on a Domain Controller.

    Check the SPN. There should be at least two default SPNs: HOST/<NetBIOS-name> and HOST/<FQDN>.

    For example: HOST/MYSERVER and HOST/myserver.fabricam.local

    Check and reset the correct SPNs using the setspn utility.

    Reason 2: Time is not synced on AD Domain Controllers (more than 5-minute difference).

    Resolution: In the event of any Kerberos authentication problems, check Event Logs. Make sure that time is synced on the AD Domain Controllers.

  6. Symptoms: No password changes synced: filter returns "0x80070005" error.

    Resolution:

    • Make sure that DCOM is enabled on the on-premise end-customer Domain Controller (the host with the Password Synchronization Agent installed) and on the on-premise end-customer host where the CDI Synchronization Agent is installed.

    • Run the dcomcnfg tool, locate "My Computer" in the left tree, select the Properties option from the context menu, open the Default Properties tab, and check Enable Distributed COM on this computer (it should be enabled).

      • On the machine where the Synchronization Agent is being run, make sure that the local security group Distributed COM Users contains the global Domains Controllers domain group.
  7. Symptoms: The ADSync utility is failing on OU (Organizational Unit) lookup. When ADSync is running with adsync try test2.txt using the above option, the following error message appears:

    Unknown error (0x80005000) Exception:
    System.Runtime.InteropServices.COMException
    Source: System.DirectoryServices
    Stack Trace ...
    

    Reason: The error occurred due to security reasons. It looks like a user is a member of a group from another (trusted) domain. A user that used to run ADSync has no permissions to read this domain; however, ADSync fails on an attempt to resolve this group.

    Resolution: There are two different ways to fix the problem:

    1. Disable membership synchronization (remove the <Property>membership</Property> from the ADSync.exe.config file).

    2. Export all users from the problem OU into a file using the following command:

      ldifde -f file-to-export.txt -d "<OU DN>" -p Subtree -l distinguishedName,memberOf
      

      Search for users that have such specific membership relations (see the "memberOf" fields), and either fix a membership or provide access for the user that is used for ADSync running.

  8. Symptoms: The Password Synchronization Agent fails with this error message in the Event Viewer:

    Cannot save password: Key not valid for use in specified state.
    

    Reason: The size of the Public Key used for the password encryption is not large enough for encryption of the password (fails if the generated password of the system account is too long).

    Resolution: Use a 2048-bit public key for password encryption to avoid such problems.

    Note: You need to import the AD Sync Web Service certificate directly into the machine store using the Certificate MMC snap-in (select this certificate store in snap-in during import). Please refer to the guide https://download.automation.odin.com/pa/6.0/doc/portal/6.0/oa/65195.htm for details of the certifuicate installation. Please note that, if the certificate is updated on the server side the client will continue to use the old one for about 24 hours. The client can force the certificate updating by restarting the ADSync Password Agent service.

  9. Symptoms: Warning. Synchronization fails for entity 'CN=User1,OU=Team1,OU=User-Acounts,DC=d1,DC=ch,DC=domain,DC=com': Unable to find suitable certificate with thumbprint '1U29151F7BFE85A51096E5D994DF2A02CAADF1DF' in local certificate storage.

    Resolution: This warning comes from the CDI Web Service when the ADSync.exe tool is run. This warning means that the certificate used for encryption was removed from a local storage on the CDI Web Server by the Provider staff. On the first attempt to synchronize the passwords encrypted with the old certificate, the CDI Web Server reports a warning. Synchronization is performed anyway. Further attempts should proceed without any warnings.

    1. In case the synchronization does not work, ensure that the certificate is present in the certificate cache on CDI Web Service node,
    2. Issue

      C:\inetpub\wwwroot\CDISync\bin>CDICertUtil.exe -thumbprint 1U29151F7BFE85A51096E5D994DF2A02CAADF1DF
      
  10. Symptoms: AD Sync tool fails: 'remote name could not be resolved'

    Resolution: See KB#116932

  11. Symptoms: Password changes are not synced into POA AD, error event "RPC service is unavailable" is registered.

    Resolution: See KB#122344

  12. Since AD Sync tool operates on Provider's AD, tasks may fail due to generic AD errors. Please use our knowledgebase tool to search for such errors.

Search Words

Warning. Synchronization fails for entity

Applications tab is empty for Hardware Nodes

cert error

Message User 'Exchange Migration' failed with error: 'Default domain for login names not specified.', 170

Customer Directory Integration

Synchronization not going on

CDI

Cannot save password: Key not valid for use in specified state.

Log Name: Application Source: AD Password Synchronization Agent Date: 03.02.2016 11:09:24 Event ID: 0 Task Category: None Level: Error Keywords: Classic User: N/A Computer: AP01PRT02.AP01.Apps.ch Description: Cannot save password: Key not valid for use in specified state. Exception: System.Security.Cryptography.CryptographicException Source: mscorlib Stack trace: at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) at System.Security.Cryptography.Utils._EncryptKey(SafeKeyHandle hPubKey, Byte[] key) at System.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] rgb, Boolean fOAEP) at ADPasswordAgent.PasswordAgent.EncryptPassword(String password, String& certThumbprint) at ADPasswordAgent.PasswordAgent.SetPassword(String sid, String password) Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="AD Password Synchro

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF