Exchange Detection failed when AD Endpoint is configured with SASL security

book

Article ID: 185852

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

SASL Security configured AD/Exchange Endpoint, with Kerberos Authentication setup in CCS machine, failed to identify and acquire Exchange attributes when User ID is specified as 'domain\username' notation.

If we launch Provisioning Manager and go to the Endpoint's properties we can see the *Home MTA* and *Exchange Gateway Server* fields under *Exchange General* tab are grayed out.

The following warning/error message are shown in AD Endpoint log.

------------------------------------------------------------
setRealDN():
 ...WARNING: Unknown Bind ID format.  Bind ID=mydomain\srv_ca
 ...Filter: sAMAccountName=mydomain\srv_ca
 ...ldap_search_s() ...rc=0
 ...dn: (null)
mydomain\srv_ca
------------------------------------------------------------
...
------------------------------------------------------------
Exchange2000: License: T; EX2mdb: T; EX2servers: T
--------
buildSID(): DN=mydomain\srv_ca
18:08:18 - TID:0x2500 Server: dc1.mydomain.com : Credentials: [mydomain\srv_ca]
 ADS->SEARCH: DN: [mydomain\srv_ca] rc=34 (elapsed: 1 ms)
 SearchType: Base; filter: (objectClass=*), Attributes(s) = objectSID
------------------------------------------------------------
FAILURE in buildSID: rc = 34
*** FAILURE in retrieving SID. Turning off Exchange

Cause

This is a known issue that is recorded in DE4470045

Environment

Release : 14.3, 14.3 CP1

Component : Identity Manager

Resolution

At the time this article is written, the following production fix is available to address this issue
          HF-DE447045-DE447715-DE447532.zip
Please raise a Support Call Ticket and request for the fix.

This hot fix is for CCS, i.e. external Connector Server on Windows. This fix replaces E2KPS.dll and W2KNamespace.dll in CCS bin directory.

This hot fix is also applicable on top of CSS that is installed from External Connector installation you have downloaded from vApp with IM 14.3 CP1.

After fix application, to make existing AD/Exchange Endpoint detecting Exchange, you need to run the following ldapsearch command.

ldapsearch -LLL -h <Provisioning Server hostname>  -p 20389 -D "eTGlobalUserName=<admin global user name>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -b "eTADSDirectoryName=<Endpoint name>,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" -s base "(objectclass=eTADSDirectory)" eTADSexchangeStores eTExploreUpdateEtrust

Notes:
  Please replace
  <Provisioning Server hostname> with Provisioning Server hostname
  <admin global user name> with Provisioning Server Admin user (by default it is etaadmin)
  <Endpoint name> with the affected Endpoint Name

Currently this issue is planned to be addressed in IM 14.3 CP2