OA Customer Directory Integration known issues
Agent Node temporary failure
Synchronization Agent will perform synchronization after the Agent Node is up again. Password changes performed while Password Synchronization Agent was down will be lost; in such cases, Customer Administrator would need to ask the users who cannot log in to OA due to the out-of-sync passwords to change their passwords once again after re-activating the Synchronization Agent Node.
Synchronization Caching Database (Data\ADSyncCache.sdf) corruption
If the database backup exists, the administrator needs to restore the database and continue the synchronization.
If there is no backup, the administrator needs to perform the following steps:
1. Remove the cache file **Data\ADSyncCache.sdf**. 2. Run the `CDI Tool Installer` in recovery mode. 3. Restore the connection to the CDI Module.
Note: Password changes that were in the queue at the moment of database corruption will be lost.
Unspecified Errormessages appear when Password Filter interacts with Password Agent. This error message appears in the Event Log of the Parallels AD Password Change Filter component.
Reason: Password Agent cannot save the password it caught.
Resolution: Check the Event Log on the host where Password Agent is running. Typically, the error occurs because of missing synchronization database or when there is no access to necessary files.
Symptoms: When running the ADSync.exe utility in the run mode, error messages appear about an invalid certificate. Similar messages are present in the Application Event Log of the AD Password Synchronization Agent component during its startup.
Resolution: Check the SSL connectivity with the CDI Web service in a browser. It should be using a valid, not expired, certificate from a trusted Certification Authority.
Note: Self-signed SSL certificates are not supported in the production environment!
Symptoms: When running the ADSync.exe utility in the run mode, the following error is shown:
Error. Server was unable to process request---> Keyset does not exist
Reason 1: The certificate used for password encryption was replaced in the
CDI Web serviceand now
CDI Web servicedoes not have access to the new certificate's private key.
Resolution: Use the CDICertUtil utility from the OA distributive for certificate installation and configuration.
Reason 2: The NetworkService account is not set for CDI Web Service Application Pool.
- Log in to the CDI Web Service host.
- Open IIS Manager and find the Application Pool for the site where the AD Synchronization Web Service is running.
- Click on the Advanced Settings link of the found Application Pool.
- Under the Process Model section, find the Identity value.
- Make sure that the NetworkService account is used here (otherwise, you will get the Keyset does not exist error).
- To fix the problem, you can either create a new Application Pool of the CDI site with the NetworkService account set as the Identity of this AppPool, or change the Identity for the existing Application Pool.
Symptoms: Interface is not registered or Co-class is not registered errors appear.
Reason: The problem is caused by the objects' registration with Password Agent or Filter (wrong CDI Agent hostname).
Resolution: Restart CDI Synchronization Agent and re-install Password Filter.
Symptoms: Password Filter connects to Password Agent and gets the Access Denied error. In the Application Event Log for the Parallels AD Password Change Filter component, one of the following events appears:
Error in reporting thread: Access denied [Connect to 'XXX' server] (Error code: 0x80070005) Error in reporting thread: Access denied [Send password to synchronization service] (Error code: 0x80070005)
Reason 1: The hostname is incorrect or the default SPN of the host is not registered.
Resolution: If there is a WARNING
Password synchronization operation fails with the "Access Denied" error, from the Parallels AD Password Change Filter component, then check the Synchronization Service's Principal Name.
To check/set the hostname: Open the
HKLM\SOFTWARE\Parallels\CDI\PasswordFilter\syncServerregistry key; you should see the NetBIOS name or localhost if the Password Agent is running on a Domain Controller.
Check the SPN. There should be at least two default SPNs:
For example: HOST/MYSERVER and HOST/myserver.fabricam.local
Check and reset the correct SPNs using the setspn utility.
Reason 2: Time is not synced on AD Domain Controllers (more than 5-minute difference).
Resolution: In the event of any Kerberos authentication problems, check Event Logs. Make sure that time is synced on the AD Domain Controllers.
Symptoms: No password changes synced: filter returns "0x80070005" error.
Make sure that DCOM is enabled on the on-premise end-customer Domain Controller (the host with the Password Synchronization Agent installed) and on the on-premise end-customer host where the CDI Synchronization Agent is installed.
Run the dcomcnfg tool, locate "My Computer" in the left tree, select the Properties option from the context menu, open the Default Properties tab, and check Enable Distributed COM on this computer (it should be enabled).
- On the machine where the Synchronization Agent is being run, make sure that the local security group Distributed COM Users contains the global Domains Controllers domain group.
Symptoms: The ADSync utility is failing on OU (Organizational Unit) lookup. When ADSync is running with adsync try test2.txt using the above option, the following error message appears:
Unknown error (0x80005000) Exception: System.Runtime.InteropServices.COMException Source: System.DirectoryServices Stack Trace ...
Reason: The error occurred due to security reasons. It looks like a user is a member of a group from another (trusted) domain. A user that used to run ADSync has no permissions to read this domain; however, ADSync fails on an attempt to resolve this group.
Resolution: There are two different ways to fix the problem:
Disable membership synchronization (remove the
<Property>membership</Property>from the ADSync.exe.config file).
Export all users from the problem OU into a file using the following command:
ldifde -f file-to-export.txt -d "<OU DN>" -p Subtree -l distinguishedName,memberOf
Search for users that have such specific membership relations (see the "memberOf" fields), and either fix a membership or provide access for the user that is used for ADSync running.
Symptoms: The Password Synchronization Agent fails with this error message in the Event Viewer:
Cannot save password: Key not valid for use in specified state.
Reason: The size of the Public Key used for the password encryption is not large enough for encryption of the password (fails if the generated password of the system account is too long).
Resolution: Use a 2048-bit public key for password encryption to avoid such problems.
Note: You need to import the AD Sync Web Service certificate directly into the machine store using the Certificate MMC snap-in (select this certificate store in snap-in during import). Please refer to the guide https://download.automation.odin.com/pa/6.0/doc/portal/6.0/oa/65195.htm for details of the certifuicate installation. Please note that, if the certificate is updated on the server side the client will continue to use the old one for about 24 hours. The client can force the certificate updating by restarting the
ADSync Password Agentservice.
Symptoms: Warning. Synchronization fails for entity 'CN=User1,OU=Team1,OU=User-Acounts,DC=d1,DC=ch,DC=domain,DC=com': Unable to find suitable certificate with thumbprint '1U29151F7BFE85A51096E5D994DF2A02CAADF1DF' in local certificate storage.
Resolution: This warning comes from the CDI Web Service when the ADSync.exe tool is run. This warning means that the certificate used for encryption was removed from a local storage on the CDI Web Server by the Provider staff. On the first attempt to synchronize the passwords encrypted with the old certificate, the CDI Web Server reports a warning. Synchronization is performed anyway. Further attempts should proceed without any warnings.
- In case the synchronization does not work, ensure that the certificate is present in the certificate cache on CDI Web Service node,
Follwoing command allows to properly update CDI Web Service Certificate (please refer to documentation link for more detailed information: https://download.automation.odin.com/pa/6.0/doc/portal/6.0/oa/65200.htm):
CDICertUtil.exe -thumbprint THUMBPRINT -update-webconfig FULL_PATH_TO_CDIWS_CONFIG_FILE
Symptoms: AD Sync tool fails: 'remote name could not be resolved'
Resolution: See KB#116932
Symptoms: Password changes are not synced into OA AD, error event "RPC service is unavailable" is registered.
Resolution: See KB#122344
- Since AD Sync tool operates on Provider's AD, tasks may fail due to generic AD errors. Please use our knowledgebase tool to search for such errors.