IntroductionThis article is intended for people who deal with CDI functionality. It outlines troubleshooting techniques and describes known issues.
- POA CDI Deployment Guide
- POA Subscribers Guide
Typical installationCDI Agent default installation path:
C:\Program Files\Parallels\Directory IntegrationLocal DB caching the AD data:
Data\ADSyncCache.sdfCDI Agent’s configuration file (quite self-documented inside):
User CDIPasswordAgent which is created in customer’s AD when CDI Password Change Filter Agent is installed, by default is assigned the following permissions (by the installer):
- Generic 'Read' and 'Execute' permissions for the 'Data' folder (by default it is located in the 'C:\Program Files\Parallels\Directory Integration')
'Write' permission to the ADSyncCache.sdf database in the 'Data' folder
- Installation and credentials are shown in CCP.
Logging abilities: all activities are written in Event Log. By default it logs Errors only:
- Password filter writes under “Parallels AD Password Change Filter” event source.
- Password agent writes under “AD Password Synchronization Agent” event source.
How to enable advanced logging mode:
For Password filter: add a DWORD key trace under
- HKLM\SOFTWARE\Parallels\CDI\PasswordFilter and set its value to 1. Reboot Domain controller.
For Password filter: add a DWORD key trace under
- HKLM\SOFTWARE\Parallels\CDI\AD Password Synchronization Agent and set its value to 1. Restart “AD Password Synchronization Agent” service.
- For Password filter: add a DWORD key trace under
Run agent without any switches to get command-line sample:
C:\Program Files\Parallels\Directory Integration>ADSync.exe
- C:\Program Files\Parallels\Directory Integration>ADSync.exe
Agent Node temporary failure
- Synchronization Agent will perform synchronization after the Agent Node is up again. Password changes performed while Password Synchronization Agent is down will be lost; in such a case, Customer Admin would need to ask the users who cannot log in to the POA due to the out-of-sync passwords to change their passwords once again after activating the Agent Node.
Synchronization Cache corruption
- If a database backup exists, the administrator needs to restore the database and continue the synchronization.
If there is no backup, the administrator needs to perform the following steps:
- Remove the cache file.
- Run the CDS Tool Installer in recovery mode.
Restore the connection to CDI Module.
Note that password changes that are in the queue at the moment of corruption will be lost.
Error: When Password Filter interacts with Password Agent, this causes an Unknown Error or Unspecified Error. (This message appears in the Event Log of the Parallels AD Password Change Filter component.)
Resolution: Password Agent can’t save the password it caught. To resolve the issue, check the Event Log for the host on which Password Agent is running. Typically, the error occurs because of missing synchronization DB or when there is no access to necessary files.
- Resolution: Password Agent can’t save the password it caught. To resolve the issue, check the Event Log for the host on which Password Agent is running. Typically, the error occurs because of missing synchronization DB or when there is no access to necessary files.
Error: During running of ADSync.exe in run mode, there are error messages about an invalid certificate. Similar messages are present in the Application Event Log of the AD Password Synchronization Agent component during its startup.
Resolution: Check the SSL connectivity with POA Web-service in a browser. It should be a valid, not expired, certificate from a trusted Certification Authority.
Self-signed certificates are not supported in the production environment!
- Resolution: Check the SSL connectivity with POA Web-service in a browser. It should be a valid, not expired, certificate from a trusted Certification Authority.
Error: When running ADSync.exe in run mode, the following error is shown: Error. Server was unable to process request---> Keyset does not exist
Resolution 1: The certificate used for password encryption was replaced on POA Web-service and now CDI Web-service doesn’t have access to the new certificate’s private key.
Use the CDICertUtil utility from POA distributive for certificate installation and configuration.
Resolution 2: Network Service account is not set for CDI Web Service Application Pool.
- Resolution 1: The certificate used for password encryption was replaced on POA Web-service and now CDI Web-service doesn’t have access to the new certificate’s private key.
Error: “Interface is not registered” or “Co-class is not registered” errors.
- Resolution: The problem is caused by the objects’ registration with Password Agent or Filter (wrong agent hostname). Restart Agent and reinstall Password Filter.
Error: Password Filter connects to Password Agent and gets an "Access Denied" error. In the Application Event Log for the Parallels AD Password Change Filter component, there exists one of following events:
Error in reporting thread: Access denied [Connect to XXX server] (Error code: 0x80070005)
Error in reporting thread: Access denied [Send password to synchronization service] (Error code: 0x80070005)
Resolution: Hostname is incorrect or default SPN of the host is not registered.
If there is a WARNING from the Parallels AD Password Change Filter component:
Password synchronization operation fails with the "Access Denied" error. Check the synchronization service’s Principal Name.
To check/set hostname: HKLM\SOFTWARE\Parallels\CDI\PasswordFilter\syncServer – there should be a NetBIOS name or localhost if the password agent is running on a domain controller.
Check SPN. There should be at least two default SPNs: HOST/<NetBIOS-name> and HOST/<FQDN>.
Sample: HOST/MYSERVER и HOST/myserver.fabricam.local.
Check and reset correct SPNs using the setspn utility.
Time-synchronization issue (more than 5 minute difference).
Any Kerberos authentication problems – check Event Logs.
- Resolution: Hostname is incorrect or default SPN of the host is not registered.
Error: No password changes synced: filter returns 0x80070005 error #RT-Trans.
- Resolution: Make sure that DCOM is enabled on the on-premise end-customer DC (host with Password Synchronization Agent) and on the on-premise end-customer host where CDI Synchronization Agent is installed. Run the "dcomcnfg" tool, locate "My Computer" in the left tree, select the "Properties..." option from the context menu, open the "Default Properties" tab, and check the "Enable Distributed COM on this computer" – it should be enabled.
Error: ADSync is failing on OU lookup. When ADSync is running with "adsync try test2.txt" using the above option, the following error occurs:
Unknown error (0x80005000) Exception: System.Runtime.InteropServices.COMException
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Exists(String path)
at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
at ADSync.Repositories.UserEntity.Accept(RemoteStorageCommand command)
at ADSync.Program.RunSync(Boolean writable)
Resolution: The error occurred because of security reasons. It looks like a user is a member of a group from another (trusted) domain. A user which is used to run ADSync has no permissions to read this domain, however. ADSync fails on attempt to resolve this group. There are two different ways to fix this:
- Disable membership synchronization (remove "<Property>membership</Property>" from the ADSync.exe.config).
Export all users from the problem OU into a file (use following command:
- Resolution: The error occurred because of security reasons. It looks like a user is a member of a group from another (trusted) domain. A user which is used to run ADSync has no permissions to read this domain, however. ADSync fails on attempt to resolve this group. There are two different ways to fix this:
Error: Password Synchronization Agent fails with this error in Event Viewer: Cannot save password: Key not valid for use in specified state.