Exchange Detection failed when AD Endpoint is configured with SASL security
search cancel

Exchange Detection failed when AD Endpoint is configured with SASL security


Article ID: 185852


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


SASL Security configured AD/Exchange Endpoint, with Kerberos Authentication setup in CCS machine, failed to identify and acquire Exchange attributes when User ID is specified as 'domain\username' notation.

If we launch Provisioning Manager and go to the Endpoint's properties we can see the *Home MTA* and *Exchange Gateway Server* fields under *Exchange General* tab are grayed out.

The following warning/error message are shown in AD Endpoint log.

 ...WARNING: Unknown Bind ID format.  Bind ID=mydomain\srv_ca
 ...Filter: sAMAccountName=mydomain\srv_ca
 ...ldap_search_s() ...rc=0
 ...dn: (null)
Exchange2000: License: T; EX2mdb: T; EX2servers: T
buildSID(): DN=mydomain\srv_ca
18:08:18 - TID:0x2500 Server: : Credentials: [mydomain\srv_ca]
 ADS->SEARCH: DN: [mydomain\srv_ca] rc=34 (elapsed: 1 ms)
 SearchType: Base; filter: (objectClass=*), Attributes(s) = objectSID
FAILURE in buildSID: rc = 34
*** FAILURE in retrieving SID. Turning off Exchange


Release : 14.3, 14.3 CP1

Component : Identity Manager


This is a known issue that is recorded in DE4470045


At the time this article is written, the following production fix is available to address this issue

Please raise a Support Call Ticket and request for the fix.

This hot fix is for CCS, i.e. external Connector Server on Windows. This fix replaces E2KPS.dll and W2KNamespace.dll in CCS bin directory.

This hot fix is also applicable on top of CSS that is installed from External Connector installation you have downloaded from vApp with IM 14.3 CP1.

After fix application, to make existing AD/Exchange Endpoint detecting Exchange, you need to run the following ldapsearch command.

ldapsearch -LLL -h <Provisioning Server hostname>  -p 20389 -D "eTGlobalUserName=<admin global user name>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -b "eTADSDirectoryName=<Endpoint name>,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" -s base "(objectclass=eTADSDirectory)" eTADSexchangeStores eTExploreUpdateEtrust

  Please replace
  <Provisioning Server hostname> with Provisioning Server hostname
  <admin global user name> with Provisioning Server Admin user (by default it is etaadmin)
  <Endpoint name> with the affected Endpoint Name

Currently this issue is planned to be addressed in IM 14.3 CP2