MBAM Agent Key Escrow Issue After Pre-Provisioning Bitlocker in SCCM TS

Hello, I'm having an issue with MBAM key escrow now that we have moved to using pre-provisioned Bitlocker. After imaging completes the initial key escrow works properly (the MBAM Agent transmits the Numerical Password key protector to the MBAM server) however
the MBAM Agent no longer automatically changes the Numerical Password when the recovery code is revealed in the
MBAM Drive Recovery console. As far as I can tell MBAM is supposed to change this on the user's computer within 90 minutes by default and this behavior cannot be changed.
I have tested this using a previously-imaged computer that didn't use pre-provisioned Bitlocker. After revealing the recovery code in the MBAM console, the computer's Numerical Password protector was automatically changed as is expected. However
on the computers imaged with the pre-provisioned Bitlocker this does not happen.
Here are the versions of the software we're using:
SCCM 2012 R2
Windows 7 Enterprise SP1 x64
MBAM Agent v2.0.5301.1
The task sequence steps we are using consist of:
Ensure TPM is activated
Format and partition drive 
Pre-provision Bitlocker, Encrypt Used Space Only mode
Apply Windows 7 image, install drivers and software, etc
Use manage-bde to set key protectors (-TPM and -RecoveryPassword)
Run the MBAM activation script
Use manage-bde to turn on Bitlocker on the drive
There are no error messages displayed and I can't see anything in the Event Viewer which would point to the root cause. The MBAM logs in Event Viewer are all Operational logs which simply state that the
'MBAM policies were applied successfully'.
Is this a known issue with pre-provisioned Bitlocker and MBAM? I haven't been able to find any information regarding this issue so any help would be greatly appreciated.
Thanks,
Justin.

According to the
MBAM TechNet documentation the client should log in the Microsoft-Windows-MBAM/Operational
section of Event Viewer. However:
The test computers do not show any error messages in the MBAM Operational log section. The only entries present are Information events
that state "The MBAM policies were applied successfully"
The test computers also don't seem to show any general Security or System Error logs related to Bitlocker or MBAM
According to the TechNet documentation listed above, when a machine has its Numerical Password reset there should be a
'RecoveryKeyReset' event logged. However on the laptop where MBAM is changing the Numerical Password I do NOT see this event (though I have confirmed with manage-bde that the recovery password was changed successfully). The only events I see
are, again, Operational logs for Information events that state "The
MBAM policies were applied successfully".
I'm not sure why there aren't any errors logged, or why that laptop isn't generating that RecoveryKeyReset event like it should. As far as I can tell there isn't any way to change what the MBAM client logs, right? I didn't see any logs in AppData or Program
Data so I have to assume everything is supposed to be logged in Event Viewer.

Similar Messages

  • Pre-provision bitlocker during OSD with a Windows 7 Enterprise image fails at Enable Bitlocker - SCCM 2012 SP1 beta

    I'm trying the SP1 feature to pre-provision bitlocker during OSD, using an MDT integrated task sequence.  It seems like the pre-provision part is working, but when the task sequence tries to enable bitlocker after installing the
    OS, it fails.  ZTIBDE.log contains the following:
    Property UDI is now = ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    Microsoft Deployment Toolkit version: 6.1.2373.0 ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    The task sequencer log is located at C:\WINDOWS\CCM\Logs\SMSTSLog\SMSTS.LOG. For task sequence failures, please consult this log. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    System drive is: C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    The deployment method is using ConfigMgr. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    Property BdeInstallSuppress is now = NO ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    This script is not currently running in Windows PE ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    We are running a OS that supports BitLocker ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    OSDBitLockerTargetDrive= , OSDBdeTargetDriveLetter= , sOSDBitLockerTargetDrive= C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    This is a Refresh Build where BDE protectors were disabled. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    OS Version is Windows 7 or higher. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    Encryptable Volume Count:1 ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    Attempting to bind to: C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    Success setting oBdeVol ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    BDE Instance Bind Complete ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    Attempting to enable BDE Protectors ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    FAILURE ( 6767 ): -2144272377 0x80310007: Enable BDE Protectors ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
    This laptop is in an OU with bitlocker related settings applied via GPO, including allowing enhanced PINs, requiring backup of the recovery passwords and key packages to AD, and to require TPM+PIN for the startup authentication.  
    Bitlocker provisioning is working on my production server using only MDT (No SCCM), with a task sequence deploying Windows 7.  I copied some of the variables from the customsettings.ini over to a collection variable in SCCM for
    the collection I'm testing deployment to. Putting those same variables in collection variables should work the same as if they were in the custom settings, but only for members of that collection, right?
    The variables set in the collection variables area are
    BDEInstall - TPMPIN
    BDEInstallSuppress - NO
    BDEPin - SET
    BDERecoveryKey - AD
    BDERecoveryPassword - TRUE
    TPMOwnerPassword - SET
    OSDBitlockerMode - TPMPin (This one wasn't copied from the other MDT share, but added just for sccm. 
    I didn't copy the BDEWaitforEncryption variable, it didn't seem like that one would be necessary with the pre-provisioning.   What am I doing wrong here?

    If not you could add a set variable action to your task sequence after the UDI wizard to set OSDBitLockerPIN to %BDEPin%. You could add a condition to the action to only run if BDEPin exists.
    I don´t quite fallow, how I can switch these variables between. I admit I some time have difficulties to understand the variables. Could you mark discribe me the settings of set variable step I have to enter. Thanks!
    With Confmgr step Enable Bitlocker I have another issue - it does not allow to to enter pin code with letters.
    No problem :-). There is a task sequence action called "set task sequence variable". Just add one of these actions to the task sequence after the UDI wizard. There are only two things you have to configure in the action, the variable you want to set
    and the value you want to set that variable to. The UDI wizard will create the variable BDEPin with a value equal to the PIN you enter in the UDI wizard page. So in your "set task sequence variable" action enter the variable name as OSDBitlockerPIN
    and the value as %BDEPin%. This action will then create the OSDBitlockerPIN variable with the value that was stored in BDEPin by the UDI wizard. The built in SCCM action will then use this as the PIN rather than whatever value is configured in the task sequence
    editor.
    However the best solution would probably be to get the UDI wizard to set OSDBitlockerPIN rather than BDEPin in the first place. I think you can do this in the UDI wizard editor or directly in the XML. I don't use the editor these days so can't recall offhand.
    I will take a look at this next week.
    Most of the task sequence actions support variables and it enables you to configure the action dynamically at runtime. For example the same sequence can be used to deploy systems into different domains, languages, applications etc. all by setting variables.
    It's the basis of how the UDI wizard works, it just sets variables which are then consumed by either MDT scripts or task sequence actions. The variables can be configured by UDI, collections, MDT customsettings.ini, MDT database or scripts. Dynamic deployment
    is definitely the way to go :-).
    I think you are correct about the built-in action not supporting enhanced PIN. I think it only supports standard numeric PIN. Whether setting the PIN via the variable works around a restriction in the task sequence editor I am not sure, I suspect not.
    Mark.

  • Pre-provision BitLocker and Server 2008 R2

    Hi,
    I am trying to pre-provision BitLocker during WinPE and then install Windows Server 2008 R2. This results in a BSOD after the operating system image has been applied. Does anyone know if pre-provisioning bitlocker is supported or works on Server 2008 R2
    (like it works on Windows 7 SP1)?
    On technet I found the following regarding Server 2012: http://technet.microsoft.com/en-us/library/jj612864.aspx
    There it states:
    For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before
    the server operating system is installed as part of your deployment.
    Has anyone pre-provisioned BitLocker on Server 2008 R2?
    Regards,
    Carl

    I am creating the BDE partition as mentioned and have used pre-provisioning of bitlocker without issues on win7, but the same thing does not seem to work on server 2008 r2 and results in BSOD. I suspect it could be related to the fact that BitLocker is not
    installed on server 2008 r2 by default, so I'll try to add bitlocker using DISM and see if it makes any difference. 
    Another issue is that I have to create 2 partitions on the drive besides the BDEDrive (so 3 partitions in total), this messes up SCCM and it looks for the media from the wrong location, more info in this thread:
     http://social.technet.microsoft.com/Forums/en-US/0b24b745-b890-494e-993c-1f1f307af960/configmgr-client-does-not-install-during-osd-trying-to-use-wrong-setup-path?forum=configmanagerosd#a4914c0d-1f56-4ba2-a745-b43fb0005e55
    Carl

  • Pre-provisioned Bitlocker

    SCCM 2012 SP1 with MDT 2013 doing Windows 7 SP1 images. Can somebody who successfully sets up Bitlocker give me some guidance here. I'm looking at Niall's Noob article
    http://www.niallbrady.com/2012/09/23/how-can-i-pre-provision-bitlocker-in-winpe-for-windows-8-deployments-using-configuration-manager-2012-sp1/ about using pre-provisioning.  I realise about setting up AD, and turning on the TPM chip etc. , but my
    confusion is with the BDE variables needed if using the MDT client task sequence which I use
    I see articles about adding variable into the customsettings.ini such as
    bdedriverletter=S
    bdedrivesize = 30000
    etc. but isn't this handled by the MDT TS which creates hidden partition for Bitlocker anyway ??
    I have also seem some articles saying NOT to use the MDT version of enable bitlocker step which I believe runs ztibde rather to use the SCCM step enable bitlocker
    Also if using pre-provisioning which seems to make sense is it sensible to put the client files such as the Dell CCTK into the boot image
    Thanks
    Ian Burnell, London (UK)

    Hi,
    I normally let the builtin format step create the BDEdrive partition, and I normally put the Dell CCTK files in a package instead and reference that package from the task sequence step instead of putting it in the WinPe image, it makes it much easier to
    update if a new model requires a new version of the CCTK.
    Regards,
    Jörgen
    -- My System Center blog ccmexec.com -- Twitter
    @ccmexec

  • Pre-provision TRK for SCCM 2012 R2 client

    Hello,
    Clients have some troubles with establishing trusted relationship with management point, I found this article http://technet.microsoft.com/en-us/library/bb680504.aspx but this for SCCM 2007, where can I find for SCCM 2012 R2?

    Do you have AD extended and is the site information properly published to AD in the System Management container?
    What happens when you manually "push" a client?
    What exactly is the entire command-line you are using to install the client?
    The message above is not about the trusted root key, it clearly shows that MP being communicated with is not in the MPLIST returned. I can't say I've ever seen that before, but it is indicative of some other configuration type error.
    Jason | http://blog.configmgrftw.com
    Hello,
    thank you for your message,
    yes, AD was extended and System Management container has site info,
    I have the same problems with push and manual installation,
    I tried this command (specify key and site server cert and without it): C:\Client\ccmsetup.exe /mp:SCCM /logon SMSSITECODE:CM1 SMSPublicRootKey=<key> SMSSIGNCERT=<path to cert>
    where <key> from a file and cert which was exported from site server.
    Where MPList is stored? We spent much time to solve this problem, even reinstalled SCCM on new servers with new site code but problem is not solved.
    After installation client tries to register on management point but there are errors in the different logs at same time:
    Failed to verify signature of message received from MP using name 'SCCM.contoso.com.'
    Failed to verify message. Sending MP [SCCM] not in cached MPLIST.
    RegTask: Failed to send registration request message. Error: 0x87d00309

  • Prestaged Media and Bitlocker Pre-Provisioning

    Hi all
    I am working on a project right now that requires all computers to be pre-provisioned with bitlocker
    I have managed to get pre-provisioning working with no issues. the pre-provisioning kicks in directly after the disk formatting and the Enable Bitlocker step works perfectly after the domain join.
    I have also been able to get pre-staging of media working (after a short fight with it) and I can deploy my task sequence to a pre-staging WIM. I can then deploy that to a disk as a data image and the build proceeds after the first boot.
    What I cant get to work, it both together.
    In an ideal world, I would pre-provision the bitlocker in the pre-staging task sequence before deploying the data image. bit I cant get it to work.
    If I partition with more than one partition (so I have a BDE partition) and use the small partition as a boot disk, the machine fails to boot.
    If I make the larger partition the boot partition, the bitlocker pre-provisioning task tells me that the disk os the os image and fails to work
    has anyone done this or have any ideas?
    thanks
    Stephen

    I guess the pre-provision bitlocker cannot work for booting Windows PE. This is why the system cannot boot.
    The screenshot is a capture of the prestage disk bcd store. We can see the system boots from a ramdisk mouted from boot.wim. The process is different from a traditional system boot, the wim cannot be booted from anencrypted disk.
    Juke Chou
    TechNet Community Support

  • OSD: bitlocker pre-provisioning, what's the mechanism?

    Hi,
    Please clarify the mechanism behind bitlocker preprovisioning. We got it working fine but in the pre-provisioining step the disk does NOT seem to be bitockered. Only the step to enable bitlocker it seems bitlocker is enabled.
    Where is the time gain then? Is there an article which could shed some light?
    Please advise.
    J.
    Jan Hoedt

    Hi,
    Niall describes the process here:
    http://www.windows-noob.com/forums/index.php?/topic/6451-how-can-i-pre-provision-bitlocker-in-winpe-for-windows-8-deployments-using-configuration-manager-2012-sp1/
    The biggest benefit is that the disk is encrypted when it is empty using used-space-only encryption so that when the image is applied the disk is already encrypted so there is no time to wait in the end of the TS for the disk encryption to complete..
    Regards,
    Jörgen
    -- My System Center blog ccmexec.com -- Twitter
    @ccmexec

  • Pre-Provisioning Bit Locker in MDT 2012 SP1 while using MBAM 2.5 - No Pin Required

    Does anyone have some step by step instructions for Pre-Provisioning Bit Locker. Through task sequences, we are currently able to bit locker the computers but it's the last set of tasks.  I would like to Bit Locker the computer while no data is on the
    disc so it's faster and then as its imaging, the files are already encrypted.
    Currently:
    Creates BIOS Password
    TPM turned on and enabled (using CCTK)
    Remove Password
    Registry changes
    Installing MBAM 2.5
    Removing Registry Entries
    Any help would be appreciated!
    Thanks
    Rick

    Bitlocker Pre-Provisioning is available by default on MDT Litetouch...
    If you just want to pre-provision the drive without letting MDT LiteTouch enable any protectors (let MBAM do that) then just run the following command after the "FOrmat and PArtition" step in the Task Sequence:
    x:\windows\system32\Manage-BDE.exe c: -used
    (OR whatever drive letter OS exists on in WinPE)
    AS an alternative, I would add a step just before the "ENable Bitlocker (offline)" step in the task sequence:
        BDEInstallSuppress=NO
        isBDE=YES
    then after the "Enable Bitlocker (offline)" step in the Task Sequence, I would set the following:
        isBDE=NO
    Keith Garner - Principal Consultant [owner] -
    http://DeploymentLive.com

  • SCCM 2012 R2 OSD - Pre Provision Bit-Locker Drive Label Name Issues

    I am trying to image machines Pre-provisioned for BitLocker.  Everything works great in the Task Sequence except the Drive Label on Boot is "MININT-XXXXX" rather than the actual computer name.  This happens whether the computer is known
    or unknown.
    The only other post regarding this issue I can find suggested changing the OSDComputerName variable name in the TS but that will not work because the hostname is set during the WinPE setup.
    http://social.technet.microsoft.com/Forums/en-US/f9c6f565-e137-4c59-a8de-7314d9b88fe7/how-to-change-computername-on-bitlocker-pinrecovery-password-screen-drive-label?forum=mdt
    I have tried to set the OSDComputerName variable during the Pre-Start and TS but the Drive Label always remains "MININT-XXXXX".
    Any ideas?

    First in Customsettings.ini or in a TS set the %OSDComputerName%
    Then just add this to a Command in the task sequence before provisioning.
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
    SCCM now believes the name of winpe is %OSDComputerName%
    Joakim Tomren

  • Can not install Windows 8.1 to a Bitlocker Pre-Provisioned volume

    Hello,
    I'll come straight to the point. What I'm trying to do is to install Windows 8.1 Enterprise to a Pre-Provisioned volume but Windows does not let me do that. The steps I've performed are.
    With Microsoft ADK I created me a WinPE media which has the components installed to get the manage-bde command working. I used the article hxxp://technet.microsoft.com/en-us/library/hh824926.aspx for that.
    I prepared an USB stick with the manage-bde components on it and booted my test laptop with it.
    Started diskpart and used commens in order to get a new clean partition:
    Select Disk 0
    clean
    Create Partition Primary
    Format fs=ntfs quick
    Assign letter=c
    exit
    After that I pre-provisioned the volume with the command:
    manage-bde -on -used c:
    When I check with manage-bde -status it states that:
    Conversion Status: Used Space Only encrypted
    Percentage: 100
    Protection Status: Protection Off
    Lock Status: Unlocked
    Identification Field: Unknown
    Automatic Unlock: Disabled
    Key Protectors: None Found
    OK. After that I use the net use command to map a network share with the Windows 8.1 x64 Enterprise installation media itself. I execute setup.exe without any parameters.
    I can navigate all the way through the dialog "Where do you want to install Windows?". I can see there now "Drive0Partition 1" with a Total size of 119.2 GB and almost as many free space BUT when I select it and click next there comes
    only a warning dialog saying:
    We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
    The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
    BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
    What I am missing here? Is there a special trick how to get Windows installed on a pre-provisioned drive? I also loaded the correct driver for the disk controller but no help. As soon as I clean the disk and create the partition new without pre-provisioning
    I can install Windows without any problems.
    Sorry for the long text. Hope someone of you has an idea.
    Regards
    Robert

    We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
    The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
    BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
    Hi,
    For this issue,when you assign letter,you need to mark a partition as active.
    Using a command line
    1.Open Command Prompt.
    2.Type: diskpart
    3.At the DISKPART prompt, type: list partition
    Make note of the number of the partition that you want to mark as active.
    4.At the DISKPART prompt, type: select partitionn
    Select the partition, n, you want to mark as active.
    5.At the DISKPART prompt, type:
    active
    Hope this helps.
    Regards,
    Kelvin Xu
    TechNet Community Support

  • Collection assign issue in OID provisioning environment

    Hy Tom,
    I am interested in LDAP with OID PROVISIONING in portal 10g application.
    we create a register procedure.
    however. i got an error message as ORA-06502: PL/SQL: numeric or value error: NULL index table key value.
    After debuging, we found that issue result assign null value .
    when we assign as
    user_vals(counter2) := entry.attr(counter1).attrval(counter2);
    It seems that that we can not assign entry.attr(counter1).attrval(counter2) to other var two time in procedure.
    It is server configuration issue or code issue.
    Thanks
    Newweber
    *********************** Code
    PROCEDURE pre_add (     ldapplugincontext IN ODS.plugincontext,
                   dn IN VARCHAR2,
                   entry IN ODS.entryobj,
                   rc OUT INTEGER,
                   errormsg OUT VARCHAR2
    IS
    ret                INTEGER;
    l_portal_user      wwsec_person.USER_NAME%type;
    l_first_name      wwsec_person.FIRST_NAME%type;
    l_last_name      wwsec_person.LAST_NAME%type;
    l_email      wwsec_person.EMAIL%type;
    l_work_phone      wwsec_person.WORK_PHONE%type;
    l_mobile      wwsec_person.MOBILE_PHONE%type;
    counter1           pls_integer;
    counter2           pls_integer;
    retval                pls_integer := -1;
    s                integer;
    user_session           DBMS_LDAP.session;
    user_dn           varchar(256);
    user_array           DBMS_LDAP.mod_array;
    user_vals           DBMS_LDAP.string_collection;
    user_binvals           DBMS_LDAP.blob_collection;
    indx                number := 1;
    BEGIN
    l_portal_user      :=null;
    l_first_name      :=null;
    l_last_name      :=null;
    l_email      :=null;
    l_work_phone      :=null;
    l_mobile      :=null;
    l_description      :=null;
    rc := 0;
    errormsg :=null;
    -- Create a mod_array
    user_array := dbms_ldap.create_mod_array(entry.binattr.count + entry.attr.count);
    -- Create a user_dn
    user_dn := substr(dn,1,instr(dn,',',1,1))||'cn=users,dc=e-hms,dc=net';
    FOR l_counter1 IN 1..entry.attr.COUNT LOOP
         FOR l_counter2 IN 1..entry.attr(l_counter1).attrval.COUNT LOOP
         ckerror('second loop get value--'|| entry.attr(l_counter1).attrname || '[' || l_counter1 || ']' ||'.val[' || l_counter2 || '] = ' ||entry.attr(l_counter1).attrval(l_counter2));                                   
    if entry.attr(l_counter1).attrval(l_counter2)     is null then
    ckerror('handle null attribule ');
    else                    
    -- get value
              ckerror('get value2'||entry.attr(l_counter1).attrname);
    IF entry.attr(l_counter1).attrname ='givenname' then           
                   l_first_name :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('givename/firstname--'||l_first_name);
         elsif entry.attr(l_counter1).attrname ='sn' then           
                   l_last_name :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('sn/lastname--'||l_last_name);
              elsif entry.attr(l_counter1).attrname ='mail' then
                   l_email := entry.attr(l_counter1).attrval(l_counter2);
                   ckerror(' email--'||l_email);
              elsif entry.attr(l_counter1).attrname ='mobile' then           
                   l_mobile :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('mobile--'||l_mobile);
              elsif entry.attr(l_counter1).attrname ='telephonenumber' then           
                   l_work_phone :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('work telphone--'||l_work_phone);
              elsif entry.attr(l_counter1).attrname ='cn' then           
                   l_portal_user :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('cn/username--'||l_portal_user);
              elsif entry.attr(l_counter1).attrname ='description' then           
                   l_description :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('description--'||l_description );
              else
              ckerror('handle other entry name--'||     entry.attr(l_counter1).attrname);
              ckerror('handle other entry--'||entry.attr(l_counter1).attrval(l_counter2) );
              end if;
    end if;
    ckerror('end compare at second loop');
    ckerror('NULL ASSIGN ISSUE FOR 72 --'||entry.attr(counter1).attrval(counter2));
    user_vals(counter2) := entry.attr(counter1).attrval(counter2);
    END LOOP;
    ckerror('end first loop');
    --- put ldap
    dbms_ldap.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, entry.attr(counter1).attrname,user_vals);
    user_vals.delete;
    END LOOP;
    processs other (l_firstname...) vars in SQL sataement
    EXCEPTION
    WHEN OTHERS THEN
    ckerror( 'Exception in PRE_ADD plugin. Error code is ' || TO_CHAR(SQLCODE));
    ckerror( ' ' || Sqlerrm);
    rc := 909;
    errormsg := 'Error code:'|| rc||' exception: pre_add data';
    END;

    Hy Tom,
    I am interested in LDAP with OID PROVISIONING in portal 10g application.
    we create a register procedure.
    however. i got an error message as ORA-06502: PL/SQL: numeric or value error: NULL index table key value.
    After debuging, we found that issue result assign null value .
    when we assign as
    user_vals(counter2) := entry.attr(counter1).attrval(counter2);
    It seems that that we can not assign entry.attr(counter1).attrval(counter2) to other var two time in procedure.
    It is server configuration issue or code issue.
    Thanks
    Newweber
    *********************** Code
    PROCEDURE pre_add (     ldapplugincontext IN ODS.plugincontext,
                   dn IN VARCHAR2,
                   entry IN ODS.entryobj,
                   rc OUT INTEGER,
                   errormsg OUT VARCHAR2
    IS
    ret                INTEGER;
    l_portal_user      wwsec_person.USER_NAME%type;
    l_first_name      wwsec_person.FIRST_NAME%type;
    l_last_name      wwsec_person.LAST_NAME%type;
    l_email      wwsec_person.EMAIL%type;
    l_work_phone      wwsec_person.WORK_PHONE%type;
    l_mobile      wwsec_person.MOBILE_PHONE%type;
    counter1           pls_integer;
    counter2           pls_integer;
    retval                pls_integer := -1;
    s                integer;
    user_session           DBMS_LDAP.session;
    user_dn           varchar(256);
    user_array           DBMS_LDAP.mod_array;
    user_vals           DBMS_LDAP.string_collection;
    user_binvals           DBMS_LDAP.blob_collection;
    indx                number := 1;
    BEGIN
    l_portal_user      :=null;
    l_first_name      :=null;
    l_last_name      :=null;
    l_email      :=null;
    l_work_phone      :=null;
    l_mobile      :=null;
    l_description      :=null;
    rc := 0;
    errormsg :=null;
    -- Create a mod_array
    user_array := dbms_ldap.create_mod_array(entry.binattr.count + entry.attr.count);
    -- Create a user_dn
    user_dn := substr(dn,1,instr(dn,',',1,1))||'cn=users,dc=e-hms,dc=net';
    FOR l_counter1 IN 1..entry.attr.COUNT LOOP
         FOR l_counter2 IN 1..entry.attr(l_counter1).attrval.COUNT LOOP
         ckerror('second loop get value--'|| entry.attr(l_counter1).attrname || '[' || l_counter1 || ']' ||'.val[' || l_counter2 || '] = ' ||entry.attr(l_counter1).attrval(l_counter2));                                   
    if entry.attr(l_counter1).attrval(l_counter2)     is null then
    ckerror('handle null attribule ');
    else                    
    -- get value
              ckerror('get value2'||entry.attr(l_counter1).attrname);
    IF entry.attr(l_counter1).attrname ='givenname' then           
                   l_first_name :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('givename/firstname--'||l_first_name);
         elsif entry.attr(l_counter1).attrname ='sn' then           
                   l_last_name :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('sn/lastname--'||l_last_name);
              elsif entry.attr(l_counter1).attrname ='mail' then
                   l_email := entry.attr(l_counter1).attrval(l_counter2);
                   ckerror(' email--'||l_email);
              elsif entry.attr(l_counter1).attrname ='mobile' then           
                   l_mobile :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('mobile--'||l_mobile);
              elsif entry.attr(l_counter1).attrname ='telephonenumber' then           
                   l_work_phone :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('work telphone--'||l_work_phone);
              elsif entry.attr(l_counter1).attrname ='cn' then           
                   l_portal_user :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('cn/username--'||l_portal_user);
              elsif entry.attr(l_counter1).attrname ='description' then           
                   l_description :=entry.attr(l_counter1).attrval(l_counter2);
                   ckerror('description--'||l_description );
              else
              ckerror('handle other entry name--'||     entry.attr(l_counter1).attrname);
              ckerror('handle other entry--'||entry.attr(l_counter1).attrval(l_counter2) );
              end if;
    end if;
    ckerror('end compare at second loop');
    ckerror('NULL ASSIGN ISSUE FOR 72 --'||entry.attr(counter1).attrval(counter2));
    user_vals(counter2) := entry.attr(counter1).attrval(counter2);
    END LOOP;
    ckerror('end first loop');
    --- put ldap
    dbms_ldap.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, entry.attr(counter1).attrname,user_vals);
    user_vals.delete;
    END LOOP;
    processs other (l_firstname...) vars in SQL sataement
    EXCEPTION
    WHEN OTHERS THEN
    ckerror( 'Exception in PRE_ADD plugin. Error code is ' || TO_CHAR(SQLCODE));
    ckerror( ' ' || Sqlerrm);
    rc := 909;
    errormsg := 'Error code:'|| rc||' exception: pre_add data';
    END;

  • Hi, we are using mac mini's for our developement purpose. connecting the same through using Real VNC. Mac mini's are late 2009 and 2010. Now we have upgraded them to 10.8.5. after upgrading having display issues after launching the simulators

    hi, we are using mac mini's for our developement purpose. connecting the same through using Real VNC. Mac mini's are late 2009 and 2010. Now we have upgraded them to 10.8.5. after upgrading having display issues after launching the simulators, we are unable to view the icons we need to move the simulator (into different places) to view the icons.
    Also we are having Mac book pro's (Late 2009 & 2010) after upgrading them to 10.8.5. Unable to launch the mac, getting only white screen with apple icon.
    Let me know is there any specific Hardware (Graphic Cards) we need to use for the same.
    Please provide me the early solutions.
    Regards,
    Suresh.

    Hi, try this first...
    Bootup holding CMD+r, or the Option/alt key to boot from the Restore partition & use Disk Utility from there to Repair the Disk, then Repair Permissions.

  • Why my hp mini 5101 the "7" key doesnt work after upgraded the bios?

    why my hp mini 5101 the "7" key doesnt work after upgraded the bios?
    The current bios version is F.07

    korpx,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • Certain MBAM agents not reporting compliance status

    I have MBAM setup in a two computer configuration topology both servers running Windows Server 2008 R2.
    The problem I have is that certain clients are not reporting back their compliance status to the MBAM servers and when I check the log files for these clients the MBAM Operational logs shows "The MBAM
    policies were applied successfully."  This event appears regularly within the 90min windows as expected which is fine.
    When I check the MBAM Admin log files had absolutely no new entries since January this year so something is definitely not right. On working clients both the Admin and Operational logs should be updated at least once every 90min that's how it was configured
    in GPO.
    All clients are running version 1.0.2 of the MBAM agent on Windows 7 Enterprise SP1. The problem has to be client side because there are machines reporting back regularly with no problem on the same network.
     

    Hi,
    Please take a check to see if the following KB could help here:
    MBAM Enterprise Reporting Not Getting Updated
    Besides, questions related MBAM, please consider ask in the following forum:
    http://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam
    Experts there might share some insights for the issue here.
    Best regards
    Michael Shao
    TechNet Community Support

  • Latitude e7450 - Repeating Keys/Debouncing Issue is present in this model too

    Not sure how to get attention to this, as I do not think Dell is aware of this problem since this model was only released a month ago.  The repeating keys/debouncing issue described here  , is present in this new model Latitude e7450 in both bios A00 and A01.  Please make this bug known, so that Dell is able to fix it in a bios update!

    So, I also found and posted in this thread  about the issue with the E7450
    and basically that is the aggregation of all the posts on this repeating keys/debouncing issue on ALL affected models.  Honestly as a developer, I'm pretty shocked at how bad Dell support really is.  I've been lucky enough to never have any hardware issues until now...
    They chose to have a forum for their customer service, fine; that works with many other companies. But they should have at least split the forums into laptop series,by model number, have a bug tracker and paid more than 1 guy to relay issues to the engineering team.. This is ridiculous and utter chaos reading through these threads and it is enough to make me question buying a high priced Dell ever again.  Like many people I went with Dell Latitude after Lenovo created that awful macbook-like clickable touchpad, but it looks like their 2015 models are bringing back hardware left/right click buttons again so that might be my next purchase.

Maybe you are looking for

  • Error in EHPI Tool in EHP4 upgrade process

    Hello All, I have ECC dual stack server at EHP3 and i am upgrading it to EHP4 via EHPI Tool. In EHPI wizard "Configuration" step for ABAP is done properly but in J2EE it is stuck with an error "An error has occurred during the execution of the PREPAR

  • ODI procedures

    I m new to ODI & dont know about its procedure given in project(Designer). Plz help me out with any example regarding two tables in different schema with same table structure.

  • Pavilion G4 - Diabling Touch Pad is not retained after reboot or Sleep

    On a Pavilion G4 running Windows 8, when I double touch the upper left of the touch pad to disable it, it does so and acts accordingly.  However, after I close the lid to put it to sleep or re-boot, the system comes back up with the touch pad enabled

  • Runnig Automator droplet in background

    I have a nice automator droplet that is quite elaborate and uses a lot of time to run ( in Photoshop CS5 ) - I would love to do some other tasks like browse the web etc . during that time - can I do something to make that automator workflow to run in

  • Restart BPM instance

    Hi All, I use a BPM to send message to a third-party system which is time to time off-line. In my BPM I use a loop to send the message maximumly 10 times. After times, this BPM should end. I need to manually restart this BPM if the message  is not su