Manual update of E-mail Addresses (Exchange's proxyAddresses attribute) failed when AD Endpoint is configured with SASL

book

Article ID: 185854

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

I have set up SASL Security configured AD/Exchange Endpoint, and User ID in Endpoint Configuration is specified as '<username>' only, e.g. srv_ca (without Windows domain name). Endpoint was generated successfully and Exchange was detected. 

However, when I manually update of E-Mail Addresses (proxyAddresses attribute) using either IM User Console's Modify User's Endpoint Accounts task or Provisioning Manager Global User's AD account's Properties, the error similar to the following occurred (red text messages on Modify User's Endpoint Accounts task page or an error dialog on Provisioning Manager).

Failed to execute ModifyActiveDirectoryAccount. ERROR MESSAGE: Failed to execute ModifyActiveDirectoryAccount. ERROR MESSAGE: Failed to execute ModifyActiveDirectoryAccount. ERROR MESSAGE: Active Dir. Account '<user name>' on '<Endpoint Name>' modification failed: Connector Server Modify failed: code 16 (NO_SUCH_ATTRIBUTE): failed to modify entry: eTADSAccountName=<account name>,eTADSOrgUnitName=Users,eTADSOrgUnitName=<Org Unit Name>,eTADSDirectoryName=<Endpoint Name>,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: [email protected]<hostname>: JNDI: [LDAP: error code 16 - Search of Global Catalog for proxyAddresses failed]: failed to modify eTADSAccountName=<account name>,eTADSOrgUnitName=Users,eTADSOrgUnitName=<Org Unit Name>,eTADSDirectoryName=<Endpoint Name>,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://<JCS machine IP>:20411)

The AD log shows Invalid Credentials error similar to the following

******* Connect to:
 Server: 2k16-ad.wslab2.local
 Port: 3268
 Secure Mode : SASL

ldap_init() .....   Done
ldap_connect() .....  Done
ldap_set_option() size limit.....  Done
    New Size Limit: 1000
ldap_get_option() size limit.....  Done
    Current Size Limit : 1000
ldap_set_option() time limit.....  Done
    New Time Limit: 150
ldap_get_option() time limit.....  Done
    Current Time Limit: 150
ldap_set_option() Protocol Version.....  Done
ldap_set_option() Referrals.....  Done
ldap_get_option() Referrals.....  Done
   Current Referral Value  : 0
ldap_get_option() Keep Alive.....  Done
    Current Keep Alive value: 120
ldap_get_option() Auto Reconnect.....  Done
    Current Reconnect value: 1
Done
Bind DN: CN=Administrator,CN=Users,DC=wslab2,DC=local

ldap__bind_s() ..... ERROR: 49
    LdapGetLastError(): 49
    Error msg: Invalid Credentials
Search of Global Catalog for proxyAddresses failed: rc=49

 

 

 

Cause

This is a known issue that is recorded in DE447715

Environment

Releases :
All 14.2 prior to CP6
All 14.3 prior to CP2

Component : Identity Manager

Resolution

To resolve this issue please apply the current Cumulative Patch:
Latest Cumulative Patch - 14.2 CP6

Latest Cumulative Patch - 14.3 CP2

You can review the documentation for each CP to see the fix for DE447715
Identity Manager 14.2 CP6 - Fixed Defects

Identity Manager 14.3 CP2 - Fixed Defects