Description:

This Document shows how to reset the user account and password of the AD listener login ID to the SSO server as well as to the Active Directory server.

Moreover it provides tips how to troubleshoot if such reset might become necessary.

Solution:

Moving or deleting users within AD is addressed by the SSO AD Listener component (ADSL) by adjusting the user objects reference to its SSO LOGININFOS stored in the SSO Server.

To accomplish this task the SSO AD Listener needs to authenticate against the AD Server (DC) as well as to the SSO Server.

It might happen that e.g. due to password policies the password of the AD user ID utilized by the SSO AD Listener expired or changed anyway without notice to the CA SSO Administrator hence the SSO AD Listener is failing to login.

In this case the AD Listener logs will give indication of this issue.

You will find the log by default in the ADSL log directory, e.g. C:\Program Files\CA\Single Sign-On\AD Listener\Log\

Please see screen shot:

<Please see attached file for image>

Example when the ADSL user account on AD has been moved to another OU; deleted; or password has changed the ADSL will fail to authenticate.

Note: LDAP Listener = ADS Listener

To set the credentials used by the ADSL against the SSO Server:

• On the host where the ADSL component is installed on open a cmd
• Change folder to the ADSL bin directory, e.g. C:\Program Files\CA\Single Sign-On\AD Listener\bin\
• To set the user account and password submit the following command
  
  adlistener.exe -s ps-admin PASSWORD
  
  (note the "-s" switch (s=sso) and the userID on the SSO Server having administrative privileges there)

To reset the credentials used by the ADSL against the AD Server (DC):

• On the host where the ADSL component is installed on open a cmd
• Change folder to the ADSL bin directory, e.g. C:\Program Files\CA\Single Sign-On\AD Listener\bin\
• To set the user account and password submit the following command
  
  adlistener.exe -l cn=ps-admin,ou=sso,dc=democorp,dc=com PASSWORD
  
  (note the "-l" switch (l=ldap) and to use the full DN of the userID on the AD having read access to all branches of the defined monitoring context)

Restart the CA Single Sign-On Active Directory Listener Service to make the changes effective.

To verify if all is working as expected perform a typical use-case (move AD user object between OUs in AD, let this user logoff and logon to SSO and then use some SSO applications without problems.

Monitor the ADListenerLog.log file for issues.