Active Directory Connector 9.1.1.7 for OIM 11.1.1.5.0

Similar Messages

• Active Directory Connector Questions in 11.1.2.1

  Hello All.  I am new to this version of IDM and I am trying to get through the setup and config.  I just installed a single instance of 11.1.2.1 with OUD, OAM, OIM.  I installed the Active Directory connector for User Management and I believe I have it configured. 
  I followed the post at Weblogic Corner: Oracle Identity Manager: The Active Directory Connector Tutorial and got a lot of questions answered with that.  First, note that I was able to follow the guide and run the lookup recon jobs as well as the user and group recon in trusted mode, then target mode to create all of the users and groups.  I am also able to create a user in OIM, add an account and have that provisioned to AD. 
  Here are my questions if you would be so kind:
  1) When I create a user in AD and I run the user recon(target), the event says "No User Match Found".  I was kind of expecting it to create a new user for me.  I was also expecting to schedule the recon job in target mode and not have to ever switch back to trusted mode after the first full sync.  What did I miss here?
  2) When I add an account to the user in OIM, the AD User form comes up with all the fields empty.  Is that the way it should work?  I was hoping that it would prepopulate some of the stuff from the OIM profile.
  3) When I modify a field in OIM, say middle name, will that sync in the next recon run, or will the admin need to open the account, update the AD form also and submit the middle name in two places?
  Thanks in advance!

  1. Identity gets created in Oracle Identity Manager from an authoritative source. in case of target recon, it will just sync with the matched account in oim.
  please have a look in the below link seccion 12.1.12
  Managing Reconciliation - 11g Release 2 (11.1.2)
  2.u can very well prepopulate filed in the process definition, even u can automate the provisioning process using  role based when provissioning process.
  3.there should be some tasks available for each field. no need run the recon task or modify the account in AD. it will be updated in AD using the tasks. check the connector process definition.

• Help with setting up active directory domain controller/DNS - need this for Clustering

  Disclaimer: I am new to Active Directory, so please dont rule out the obvious things I may have overlooked.
  I need to set up Active Directory Domain controller on at least one server so I can run clustering. I set up the domain controller and ran Cluster validation and that failed - unable to reach writable domain controller.
  When I look at my server manager AD DS complain about DNS:
  NASE-2012-234    4015    Error    Microsoft-Windows-DNS-Server-Service    DNS Server    1/14/2014 12:54:06 AM
  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
  When I click on DNS this is the error:
  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
  Output of DCDiag -v is below.
  PS C:\Users\Administrator> dcdiag -v
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     * Verifying that the local machine NASE-2012-234, is a Directory Server.
     Home Server = NASE-2012-234
     * Connecting to directory service on server NASE-2012-234.
     * Identified AD Forest.
     Collecting AD specific global data
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=
  ntDSSiteSettings),.......
     The previous call succeeded
     Iterating through the sites
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=nas
  e,DC=com
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntD
  SDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers
     Getting information for the server CN=NTDS Settings,CN=NASE-2012-234,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
  N=Configuration,DC=lab,DC=nase,DC=com
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     * Identifying all NC cross-refs.
     * Found 1 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\NASE-2012-234
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           The host c0c507c4-fb9b-49a6-9a01-ef79d7960c94._msdcs.lab.nasecom could not be resolved to an IP address.
           Check the DNS server, DHCP, server name, etc.
           Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
           ......................... NASE-2012-234 failed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\NASE-2012-234
        Skipping all tests, because server NASE-2012-234 is not responding to directory service requests.
        Test omitted by user request: Advertising
        Test omitted by user request: CheckSecurityError
        Test omitted by user request: CutoffServers
        Test omitted by user request: FrsEvent
        Test omitted by user request: DFSREvent
        Test omitted by user request: SysVolCheck
        Test omitted by user request: KccEvent
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: MachineAccount
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: Replications
        Test omitted by user request: RidManager
        Test omitted by user request: Services
        Test omitted by user request: SystemLog
        Test omitted by user request: Topology
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyReplicas
        Test omitted by user request: DNS
        Test omitted by user request: DNS
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : lab
        Starting test: CheckSDRefDom
           ......................... lab passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... lab passed test CrossRefValidation
     Running enterprise tests on : lab.nasecom
        Test omitted by user request: DNS
        Test omitted by user request: DNS
        Starting test: LocatorCheck
           GC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           PDC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           Time Server Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           Preferred Time Server Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           KDC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           ......................... lab.nase.com passed test LocatorCheck
        Starting test: Intersite
           Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
           provided.
           ......................... lab.nasecom passed test Intersite
  PS C:\Users\Administrator>

  http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS is the forum for Directory Services questions.  You might want to post your question there.
  .:|:.:|:. tim

• Exchange 2010 and Active Directory connector

  Has anyone managed to provision an exchange 2010 mailbox with the dotnet connector bundle in the latest patch OW8.1.1.1/145769-01? ActiveDirectory.Connector-1.0.0.5143.zip and Exchange.Connector-1.0.0.5757.zip.
  Provisioning the Active Directory account works fine but as soon as I add an exchange attribute I get an error: java.lang.RuntimeException: The specified directory service attribute or value does not exist. (Exception from HRESULT: 0x8007200A)
  I checked everything I could think of. Either I'm missing something obvious or it does not work.
  Greetings,
  Marijke

  Have you had any luck with this?
  /hydrazine

• Problems using native query in Active Directory connector v 9.1

  Hello,
  Has anyone ran into a problem when trying to do a query with a not operator?
  I want to import all users, but not computers.. so I tried the query (&(objectClass=user)(!objectclass=computer))
  I tried this query directly in the active directory and it worked.
  The problem is when I apply it to OIM it gives out the following error:
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::performReconciliation() Enter
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::setTaskSchedulerObjectName() Enter
  INFO,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],Starting Active Directory Trusted Reconciliation
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::setTaskSchedulerObjectName() Exit
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ADLookupMaps::getADFieldsArray() Enter
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ADLookupMaps::getADFieldsArray() Exit
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
  DEBUG,29 Oct 2008 19:48:06,350,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
  DEBUG,29 Oct 2008 19:48:06,350,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
  DEBUG,29 Oct 2008 19:48:06,363,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
  DEBUG,29 Oct 2008 19:48:06,363,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ADReconTaskAttrs::parseAndSetMultiValAttrs() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ADReconTaskAttrs::parseAndSetMultiValAttrs() Exit
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ActiveDirectoryRecon/performReconciliation :query (&(&(objectClass=user)(!objectclass=computer))(whenChanged>=19000101000000.0Z))
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::searchResultPageEnum() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::connectToAvailableAD() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForDirContext() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForDirContext() Exit
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForLDAPContext() Enter
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForLDAPContext() Exit
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::validateCertificates() Enter
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::validateCertificates() Exit
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],Critical Extensions Supported
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::invalidateSSLSession() Enter
  DEBUG,29 Oct 2008 19:48:06,549,[OIMCP.ADCS],tcADUtilLDAPController::invalidateSSLSession() Exit
  DEBUG,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],tcADUtilLDAPController::connectToAvailableAD() Exit
  ERROR,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],The error occured in tcADUtilLDAPController::searchResultPageEnum():Unbalanced parenthesis
  DEBUG,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],tcADUtilLDAPController::disconnect() Enter
  DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],tcADUtilLDAPController::disconnect() Exit
  DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],tcADUtilLDAPController::searchResultPageEnum() Exit
  DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],ActiveDirectoryRecon::performReconciliation() Exit
  INFO,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],End of Active Directory Reconciliation....
  DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],ActiveDirectoryReconTask/execute End
  Thanks in advance,
  Tomic

  Hi,
  Try this and it will work.I am using it.
  (&(objectClass=user)(!(objectClass=computer)))
  Regards
  Nitesh

• Active Directory Replication, have not been performed for a long time

  Good afternoon, 
  Situation: in the organization with a lot of domain controllers, with one of the sites lost contact. From the period of 18.07.2014 - for the present time, the replication of the two domain controllers did not happen. Now, the connection is reestablished in
  magazines replication errors occurred. Replication is performed using DFS. 
  errors: 
  The journal replication DFS: 
  The DFS Replication service has detected an error in the connection to the partner for replication group Domain System Volume. 
  For more information: 
  Error 1825 (Error in the security package.) 
  Connection ID: F29C3738-AF90-4CE8-BFC0-48C1B36A5819 
  The ID of the replication group: 72D953C6-FD0A-4DA0-8D91-2C0B144E45A1 
  In the system log: 
  The Kerberos client received an error from the server KRB_AP_ERR_MODIFIED SERVERNAME $. Used the final name DNS \ SERVERNAME $. This means that the target server failed to decrypt the ticket provided by the client. This may be due to the fact that the SPN
  is the destination server (SPN) is registered on an account other than the account used by the ultimate service. Make sure that the final SPN is registered only on the account that is used by the server. This error may also be that the final service is using
  a different password for the account of finite life that is different from the password key distribution center Kerberos (KDC) for the account of finite life. Make sure that the service on the server and the KDC are updated to use the current password. If
  the server name is not fully defined, and the target domain is different from the client's domain, check for server accounts with the same name in these two domains, or use the full name to identify the server. 
  This error occurs when you try to access any network resource problem servers. 
  Storage of deleted AD objects installed by default 180 days. 
  Solutions found, can someone faced with similar circumstances. I would not want to lower the domain controllers on the problematic servers and deploy them again. After all objects created will be lost during this period, they are the whole domain is not much,
  but they are
  The result of repadmin / showrepl - this error, on all servers: 
     SITE \ SERVER via RPC 
           DSA - GUID of the object: 5f01bea8-b74b-4876-b475-be712a191431 
           Last attempt @ 15/10/2014 13:00:35 completed with an error, the result - 
  2146893022 (0x80090322): 
               Principal Name is incorrect. 
           7579 consecutive errors. 
           Last success @ 07/28/2014 14:15:41. 
          SITE \ SERVER via RPC 
           DSA - GUID of the object: 436c1016-4363-47b5-a34d-2e5b3e2b0038 
           Last attempt @ 15/10/2014 13:00:35 completed with an error, the result of 5 
    (0x5): 
               Access is denied. 
           7579 consecutive errors. 
           Last success @ 07/28/2014 14:15:42. 
          SITE \ SERVER via RPC 
           DSA - GUID of the object: b677e990-f7cb-4daf-8f87-16602bc119e0 
           Last attempt @ 15/10/2014 13:00:35 completed with an error, the result - 
  2146893022 (0x80090322): 
               Principal Name is incorrect. 
           7579 consecutive errors. 
           Last success @ 07/28/2014 14:15:43. 
          SITE \ SERVER via RPC 
           DSA - GUID of the object: 5afbb9b1-7558-4f97-b941-84e1845b48ce 
           Last attempt @ 15/10/2014 13:00:35 completed with an error, the result - 
  2146893022 (0x80090322): 
               Principal Name is incorrect. 
           7579 consecutive errors. 
           Last success @ 07/28/2014 14:15:43.
  netdom resetpwd / s: NameWorkDC / ud: domain \ administrator_domen / pd: password 
  Failed to reset the password for the local computer account. 
  Login failure: The target account name is incorrect. 
  Failed to execute the command. 
  If I execute the command, and as a server pointing, use the second server of the same site (which have not replicated on the same site). The command is executed successfully. 
  If I specify as the /server - IP address of work DC, operating a server running KDC - the command is executed successfully. 
  Generally, the problem with the controller, I can not get access to any of the listed on the main market, produces an error. You might not have permission to use this resource. 
  BUT if we turn on the IP, - let without the need to enter login and password.
  Please help, what Microsoft's recommendations in this regard. Thanks in advance.

  To get a better idea of the DCs' config, let's see an unedited ipconfig /all from the DCs, please.
  Is there are third party AV on the DCs?
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Active Directory Connector server Error

  Dear All,
  I've faced this Exception while i've run AD reconciliation job  , the following is the connector server Error
  ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files (x86)\Identity Connectors\Connector Server
      DateTime=2013-06-26T08:24:23.3332424Z
  ConnectorServer.exe Information: 0 : Started connector server
      DateTime=2013-06-26T08:24:23.3801180Z
  ConnectorServer.exe Information: 0 : Server started on port: 8759
      DateTime=2013-06-26T08:24:23.3957432Z
  ConnectorServer.exe Information: 0 : Stopping connector server
      DateTime=2013-06-26T08:24:53.6617556Z
  ConnectorServer.exe Information: 0 : Stopped connector server
      DateTime=2013-06-26T08:24:53.6930060Z
  ConnectorServer.exe Information: 0 : Starting connector server: C:\Program Files (x86)\Identity Connectors\Connector Server
      DateTime=2013-06-26T08:47:53.0780484Z
  ConnectorServer.exe Information: 0 : Server started on port: 8759
      DateTime=2013-06-26T08:47:53.3749291Z
  ConnectorServer.exe Information: 0 : Started connector server
      DateTime=2013-06-26T08:47:53.3749291Z
  ConnectorServer.exe Information: 0 : Creating new pool: ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector )
      DateTime=2013-06-26T13:35:45.8003033Z
  ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: The server is not operational.
     at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.ExecuteQuery(ObjectClass oclass, String query, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 824
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.RawSearcherImpl`1.RawSearch(SearchOp`1 search, ObjectClass oclass, Filter filter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1223
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.RawSearcherImpl`1.RawSearch(Object search, ObjectClass oclass, Filter filter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1194
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.SearchImpl.Search(ObjectClass oclass, Filter originalFilter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1156
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
     at ___proxy1.Search(ObjectClass , Filter , ResultsHandler , OperationOptions )
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
      DateTime=2013-06-26T13:46:24.7813215Z
  ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: The server does not support the requested critical extension.
     at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.ExecuteQuery(ObjectClass oclass, String query, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 824
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.RawSearcherImpl`1.RawSearch(SearchOp`1 search, ObjectClass oclass, Filter filter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1223
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.RawSearcherImpl`1.RawSearch(Object search, ObjectClass oclass, Filter filter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1194
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.SearchImpl.Search(ObjectClass oclass, Filter originalFilter, ResultsHandler handler, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1156
     at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
     at ___proxy1.Search(ObjectClass , Filter , ResultsHandler , OperationOptions )
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
      DateTime=2013-06-26T13:46:33.2346088Z
  ConnectorServer.exe Error: 0 : System.IO.IOException: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. ---> System.Net.Sockets.SocketException: An established connection was aborted by the software in your host machine
     at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
     at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
     --- End of inner exception stack trace ---
     at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
     at System.IO.BufferedStream.FlushWrite()
     at System.IO.BufferedStream.Flush()
     at Org.IdentityConnectors.Framework.Impl.Serializer.Binary.BinaryObjectEncoder.Flush() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\SerializerBinary.cs:line 291
     at Org.IdentityConnectors.Framework.Impl.Api.Remote.RemoteFrameworkConnection.Dispose() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiRemote.cs:line 132
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.Run() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 380
      DateTime=2013-06-26T13:46:33.3908618Z
  ConnectorServer.exe Error: 0 : System.IO.IOException: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. ---> System.Net.Sockets.SocketException: An established connection was aborted by the software in your host machine
     at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
     at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
     --- End of inner exception stack trace ---
     at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
     at System.IO.BufferedStream.FlushWrite()
     at System.IO.BufferedStream.WriteByte(Byte value)
     at Org.IdentityConnectors.Framework.Impl.Serializer.Binary.InternalEncoder.WriteInt(Int32 v) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\SerializerBinary.cs:line 179
     at Org.IdentityConnectors.Framework.Impl.Serializer.Binary.InternalEncoder.WriteObject(ObjectEncoder encoder, Object obj) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\SerializerBinary.cs:line 112
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessRequest() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 462
     at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.Run() in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 370
      DateTime=2013-06-26T13:46:33.3908618Z
  Thanks
  Shereen

  In the troubleshooting section of the guide, couple of reasons for this exception are mentioned. Maybe you can browse through them.
  Troubleshooting

• OIM 11.1.1.3 - Active Directory ADGroup question

  All,
  I have used MSFT_AD_Base_9.1.1.7.0 to install active directory connector and synchronized (provision and reconciliation) oim users with the AD. I can't seem to find documentation on how to sync oim roles with with AD groups. Can you provide me some pointers for this. the deployment documetnation (MS_ActiveDirectory_Guide.pdf) indicates that i cannot run ADGroupRecon if i am on 11.1.1... version (bug Bug 9799541).
  It also appears that a resource cannot be assigned at the role level in oim 11.1.1. is there something missing from our environment, i was able to add AD User reosource to user profiles.
  Basically i cannot provision or recon group at this time.
  any help with this is much appreciated. Please let me know if you need additional information.
  Best Regards,
  Prasad.
  Edited by: Prasad on Aug 5, 2011 6:12 AM

  I don't believe there has ever been code to create OIM Groups based on AD Groups and then add the OIM Users to those groups accordingly. You would need to create a custom scheduled task that creates for a group for every entry in the lookup for the AD Groups. Then you would also need to read every user's child table entry for their AD Groups and adds the user to each one of those groups. You could also have code the runs on every Add User to Group event, that adds the user to the OIM group as well as in AD. And you can do the same for removal.
  There are lots of options, but this is not part of the OOTB Connector. This would be your own customization.
  -Kevin

• Principal Name for Active Directory "Domain Users"

  Hi,
  I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
  The system automatically recognized my Active Directory username. It worked.
  For authentication in my weblogic.xml I used
  <security-role-assignment>
  <role-name>admin</role-name>
  <principal-name>kursat</principal-name>
  <principal-name>fenerbahce</principal-name>
  </security-role-assignment>
  Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
  For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
  <principal-name>kursat</principal-name>
  <principal-name>fenerbahce</principal-name>
  I added
  <principal-name>Domain Users</principal-name>
  instead of writing all domain users.
  However I couldn't authenticate. I got the "Error 403--Forbidden"
  Is there anyone can help me?

  test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
  -Faisal
  http://www.weblogic-wonders.com

• What do I need the Computer certificate for in an Active Directory domain? Theoretical Inquiry

  So we are trying to clean up the thousands of certificate we have deployed.  We are on a 2008 R2 Active Directory and have been using certs for about a decade.  With all of our machines auto enrolling in Computer certificates and renewing every
  year we have maybe 50,000 certificates, yes some are expired already but its a nightmare to manage.  So what do we need the Computer certificate on all the Windows machines for anyway, some are XP most are Windows 7.
  Is the Computer certificate required for Kerberos authentication?
  If we don't need it I rather stop publishing the Computer template and simplify our lives.
  Please explain (I am not new to PKI, though this question may make me seem like a novice) I get the Web Certs, EFS, etc.

  Computer certificates are not needed for Kerberos authentication.
  They are typically used for 802.1x WLAN or wired authentication, or they might be used for VPN logon. Then you might used them for IPsec / "domain isolation" or perhaps DirectAccess or related solutions by other vendors.
  So they are needed for some sort of "network isolation" but they are not required for default AD operations. With some the mentioned scenarios (e.g. 802.1x / IPsec) you have the choice to pick either certificates or other credentials.
  Elke

• Issue with Active Directory User Target Recon

  Hi ,
  I am facing an issue with Active Directory User Target Recon
  My environment is OIM 11g R2 with BP03 patch applied
  AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
  In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
  When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
  Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
  Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
  Checked the user profile of users processed can see AD account provisioned for users
  My query is why this job is not processing allthe users.Please point if i am missing some thing .
  thanks in advance

  Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
  -Bikash

• OIM Integration with Active Directory Federation Services (ADFS)

  Hello friends
  I have a question about the integration of Oracle Identity Manager with Active Directory which is federated with another external directory for ADFS. My question is:
  What considerations should be to contemplate if I have an active directory federated environment when carrying out the integration with Identity Manager?
  I use version 9.1.0.2 of Oracle Identity Manager with Microsoft Active Directory Connector User Management 9.1.1.7
  Thanks for the support.

  First consideration is that the OIM's target ADFS - in the federated scenario, will that participate as a Service provider or identity provider. I would think identity provider.
  Next consideration: What all attributes are required to be played in the SAML assertion to the other end-point? All these attributes must be present and should be provisioned to the AD in this case.
  So, OIM should be set up (UDF etc) to provision all those attributes needed in the SAML.
  Next consideration: What all scenario to support? IdP initiated or SP initiated? If SP initiated, then process will hv to be defined if a user id does not exist in the AD of the OIM target. Will the request be failed or a in-time provisioning should happen.
  Hope this helps.

• Recon and provisioning of user-defined object class ICF Active Directory

  I have followed the documentation instructions for reconciliation of a user-defined object class in the ICF Active Directory connector. I am using OIM 11gR2 with the ICF Active Directory 11.1.1.5 connector patched to 11.1.1.5.0A. The procedure states to create the new object class in AD and then change the objectClass value in the Lookup.Configuration.ActiveDirectory lookup. In my case I am using the existing ObjectClass of contact, rather than a new object class. Just for completeness I am using a clone of the AD User Resource Object which I call AD User Contact and so my lookup name is Lookup.Configuration.ActiveDirCon.
  When I changed the ObjectClass from User to Contact, and ran the Active DirCon User Target Recon scheduled job, with Object Type also = contact. The first issue I noticed was that the connector wanted a different set of lookups, which is not in the documentation. It is looking for a lookup in my Configuration lookup where code key=contact Configuration Lookup (which I should have expected since there are code keys for User, Group, and organizationalUnit). I added a line to the lookup where code key=contact Configuration Lookup and the Decode=Lookup.ActiveDirCon.CM.Configuration and then I created a new lookup by that name, assigning the 5 values to be the Lookup.ActiveDirCon.UM.xxx lookups. I did not see any need to create a new set of Lookup.ActiveDirCon.CM.xxx lookups with the exact same values.
  I re-ran the scheduled job and it ran successfully, but did not generate any Recon Events, even though I had objects in the OU and I have that same OU in the Lookup.ActiveDirCon.OrganizationalUnits lookup (from the Org Lookup Recon). Everything looks good but getting no results. Looked at the log file from the ConnectorServer and it is building the query properly and executing it properly with the correct syntax, getting no errors, but the SearchAndReturnObjects method is returning zero results.
  Looking to see if anyone has successfully reconciled in user-defined or other non-User objectClass objects from Active Directory, and if so, can you provide Lookup configuration and Connector Server information so I can troubleshoot.
  I resolved this issue by changing the recon lookups to a blank lookup called Lookup.ActiveDirCon.CM.ReconAttrMap and only added in the parameters that are used by a Contact object. Only populate the ReconAttrMap with parameters that exist for the custom object.
  Edited by: Keith Smith AptecLLC on Mar 27, 2013 6:31 AM

  Oracle Support answered this question via SR

• OID and Active Directory

  1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
  2 Marshall data from Active Directory on demand (live link)?
  3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
  4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).

  This is what I have to share with you....For further details refer link http://otn.oracle.com/products/oid/index.html and Oracle Internet Directory Administrator's Guide.
  1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
  For synchronizing from Microsoft Active Directory to Oracle Internet Directory, you need to track changes in Microsoft Active Directory and configure your Active directory connector giving its URL, user account and password to be used by the Active Directory connector, its DIT info on domain which contain the users/groups. And in the Active Directory synchronization profile you'll have to set the mapping rule.
  2 Marshall data from Active Directory on demand (live link)?
  Yes, its possible to migrate data between directories. Configure your Active Directory connector and External auth Plug-in. And use the Directory Integration and Provisioning Assistant.
  3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
  Yes, its possible. When a user tries to log in, the OracleAS Single Sign-On server tries to verify the credentials the user enters against those stored in Oracle Internet Directory. If the user credentials are not there, then the Oracle directory server invokes the Active Directory external authentication plug-in. This plug-in verifies the user credentials in Microsoft Windows. If the verification is successful, then the Oracle directory server notifies the OracleAS Single Sign-On accordingly.
  4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).
  Oracle Application Server Single Sign-On enables native authentication, also called autologin, in a Microsoft Windows environment. Once logged into the Windows desktop, the user automatically has access to Oracle components. OracleAS Single Sign-On automatically logs the user into the Oracle environment using user's Kerberos credentials.

• OIM 11gR2 - Push/Pull account locked out information from Active Directory

  Hi
  At this moment, we are using the default reconciliation method from the Active Directory Connector in OIM 11G R2 to fetch incremental information from AD. This runs every 15 minutes.
  However, the customer complains that the time from which the user gets himself locked out due to too many failed login attempts, until it shows up on the OIM account is too long. Worst case, this could be 15 minutes after the user gets himself locked out.
  Do anyone have any tips on how we could either push this information from AD-side, or pull this information from OIM more often? Could we create a special scheduled job that just looks for Locked Accounts, and reconciles this each minute?
  Best Regards
  lloberg

  Hi,
  Sure, that's definitely possible. You can use the Active Directory cmdlets to retrieve this information. Here's an example of reading input from a text file (just usernames in the text file):
  Get-Content .\userList.txt | ForEach {
  Get-ADUser -Identity $_ -Properties EmailAddress
  You can also read input from a CSV file quite easily. This example assumes a header of Username:
  Import-Csv .\userList.csv | ForEach {
  Get-ADUser -Identity $_.Username -Properties EmailAddress
  Finally, here's a link to the Get-ADUser syntax:
  http://technet.microsoft.com/en-us/library/ee617241.aspx
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)