Error while importing Default Policy Store Objects using AD LDS as policy store

book

Article ID: 142082

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

EventID            : 2537
MachineName        : <SERVER FQDN>
Data               : {}
Index              : 978
Category           : Internal Processing
CategoryNumber     : 9
EntryType          : Warning
Message            : The directory server has failed to create the AD LDS serviceConnectionPoint object in Active
                     Directory Lightweight Directory Services.
                     This operation will be retried.

 

                     Additional Data

                     SCP object DN:
                     CN={<UUID>},CN=<SERVER>,CN=Computers,DC=<DOMAIN>,DC=<DOMAINEXT>

                     Error value:
                     5 Access is denied.

                     Server error:
                     00000005: SecErr: DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


                     Internal ID:
                     33903ab

                     AD LDS service account:
                     <ACCOUNT RUNNING AD LDS>

 

                     User Action

                     If AD LDS is running under a local service account, it will be unable to update the data in
                     Active Directory Lightweight Directory Services.
                     Consider changing the AD LDS service account to either NetworkService or a domain account.

 

                     If AD LDS is running under a domain user account, make sure this account has sufficient rights to
                     create the serviceConnectionPoint object. 

Environment

Release : 12.8.03

Component : SITEMINDER -POLICY SERVER

Resolution

This is a permissions issue.

The following part of the error indicates the user you are using is  <ACCOUNT RUNNING AD LDS>:


AD LDS service account:
 <ACCOUNT RUNNING AD LDS>


Please also note the following other received message:

"If AD LDS is running under a domain user account, make sure this account has sufficient rights to create the serviceConnectionPoint object."

Is <ACCOUNT RUNNING AD LDS> a domain account? Does it have sufficient rights to create the serviceConnectionPoint object? If not give the user these rights.

If it is not a domain account, please see:

"If AD LDS is running under a local service account, it will be unable to update the data in Active Directory Lightweight Directory Services. Consider changing the AD LDS service account to either NetworkService or a domain account."