Password Sync Agent Cause timeout when enable

book

Article ID: 220841

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

We installed password sync agent 14.2 on our Domain controller.  If we enable the password sync agent it causes timeout to occur and prevent any type of password changes to happen during interception of request.  Also on the provisioning server side...any listing of accounts to Active Directory Endpoint hang with timeout as well.  Is there some parameter in the sync agent config that need to be turn on to prevent this issue from happening.  If we disable the sync agent...the issue go away in both AD domain and provisioning server.  Please advise.

Environment

Release : 14.2

Component : IdentityMinder(Identity Manager)

Resolution

version 14.2 Password Sync Agent 64 bit Window Servers package have issues after successful install and testing causing freezes and timeout on DC.  The package itself is bad…the installation did not indicate any type of failed or bad install….
hence we had to validate our internal environment, infrastructure and pre-requisite are set.  Password Sync Agent is installed and tested successfully in Dev AD domain with the latest 14.4 version on 64 bit Window Servers.


Here's our Internal Infrastructure and pre-requisite validations.

1.)   Firewall rules are bidirectional on DC Domain to Provisioning server…I’ve verify with the networking team that the issue is not firewall or network related via Paloalto Networks Monitoring tools…it shows Time, Source, Destination, Port, Application and action is allowed.  At some point during the trace the application would become incomplete….Testing return timeout!!!  This look like an application return error.

2.)   Validate that the Administrator ID both etapwsad and root etasa have correct password…reinstall using both IDs and remote proxies set to yes\no for both cloud and non-cloud deployment. Testing return timeout!!!

3.)   Connection between the Provisioning Server and DC are established….validated via ping, curl telnet, traceroute and Provisioning Manager client. Testing return timeout!!!

4.)   Updated the AD Endpoint for Password Synchronization Agent is installed check box. Testing return timeout!!!

5.)   Enable IDM Environment for Password Synchronization in Management Console. Testing return timeout!!!

6.)   Only thing left is the application package itself… our IDM upgrade project is running 14.2.  I’ve download and install latest 14.4 password sync agent 64 bit. Testing Success!!!! Test user Password change from DC is completed and pw is updated back to provisioning server and Global Users is able to login with new password.  Details and logs on the DC and Provisioning Server Below.

From AD DC pw sync agent log…

 

20210727.11:35:03. TID=2728. * Trace: Connect request completed successfully.

            Administrator DN: 'eTGlobalUserName=etapwsad,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'.

            Connection timeout: '20'.

            Successfully connected to 'ldaps://WDAPPCAPROV001.HMS.HMSY.COM:20390'.

20210727.11:35:03. TID=2728. * ldap: ldap_msgfree

20210727.11:35:03. TID=2728. * ldap: ldap_search

20210727.11:35:03. TID=2728. * ldap: put_filter "(&(eTADSsAMAccountName=quyentiger)(objectClass=eTADSAccount))"

20210727.11:35:03. TID=2728. * ldap: put_filter: AND

20210727.11:35:03. TID=2728. * ldap: put_filter_list "(eTADSsAMAccountName=quyentiger)(objectClass=eTADSAccount)"

20210727.11:35:03. TID=2728. * ldap: put_filter "(eTADSsAMAccountName=quyentiger)"

20210727.11:35:03. TID=2728. * ldap: put_filter: simple

20210727.11:35:03. TID=2728. * ldap: put_simple_filter "eTADSsAMAccountName=quyentiger"

20210727.11:35:03. TID=2728. * ldap: put_filter "(objectClass=eTADSAccount)"

20210727.11:35:03. TID=2728. * ldap: put_filter: simple

20210727.11:35:03. TID=2728. * ldap: put_simple_filter "objectClass=eTADSAccount"

 

20210727.11:35:03. TID=2728. * Trace: Modify request.

            DN: 'eTADSAccountName=quyen tiger,eTADSOrgUnitName=NY-BUFFL,eTADSOrgUnitName=IDM Managed,eTADSDirectoryName=HMS New Active Directory,eTNamespaceName=ActiveDirectory,dc=im,dc=eta'.

            Modify timeout: '1'.

20210727.11:35:03. TID=2728. * ldap: ldap_parse_result

20210727.11:35:03. TID=2728. * Trace: Modify request completed successfully.

            DN: 'eTADSAccountName=quyen tiger,eTADSOrgUnitName=NY-BUFFL,eTADSOrgUnitName=IDM Managed,eTADSDirectoryName=HMS New Active Directory,eTNamespaceName=ActiveDirectory,dc=im,dc=eta'.

            Modify timeout: '1'.

20210727.11:35:03. TID=2728. * ldap: ldap_msgfree

20210727.11:35:03. TID=2728. * ldap: ldap_unbind

20210727.11:35:03. TID=2728. * ldap: ldap_free_connection

20210727.11:35:03. TID=2728. * ldap: ldap_send_unbind

20210727.11:35:03. TID=2728. * ldap: ldap_free_connection: actually freed

20210727.11:35:03. TID=2728. * ldap: ldap_msgfree

 

=======================================================================================

 

From Provisioning Server etatranslog….

 

20210727:113503:TID=0048bc:Modify    :C696:E684:I: Included object: eTADSAccountName=quyen tiger,eTADSOrgUnitName=NY-BUFFL,eTADSOrgU

20210727:113503:TID=0048bc:Modify    :C696:E684:I:+nitName=IDM Managed,eTADSDirectoryName=HMS New Active Directory,eTNamespaceName=A

20210727:113503:TID=0048bc:Modify    :C696:E684:I:+ctiveDirectory,dc=im

20210727:113503:TID=0048bc:Add       :Y714:C696:S: Notify Add (eTNotifyOpID=3d9531ec-5f91-4aa0-978f-0dcde7e70aeb) Requested by User

20210727:113503:TID=0048bc:Add       :Y714:C696:S:+etapwsad - TenantNotSet

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     URL: ldaps://wdappcaprov001:20391

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     dn:  eTNotifyOpID=3d9531ec-5f91-4aa0-978f-0dcde7e70aeb

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     objectClass:  eTNotifyOp

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     eTNotifyOpID:  3d9531ec-5f91-4aa0-978f-0dcde7e70aeb

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     eTNotifyEncrypted:  yes

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     eTNotifyPayload:  {DEK1}{AES}wN4+tohP7VWRFZ75K4rpGJWI51UeRYP8nqYwoZUFBfOTbjQR

20210727:113503:TID=0048bc:Add       :Y714:C696:P:+    OPkyglza6OLVEg0n9JFlSFo9maQgoJmC2aFYVlPEZN3yl6K+MJ0kQ2LMUGxVZwC9YXavYEFGh4HZF

20210727:113503:TID=0048bc:Add       :Y714:C696:P:+    lG7Bsba23YbyMxwuxS1avKlgIMibxp2f2jYODYEa1SdB6yn18tLlRX7UK2J1anaZ8FIevOZKsneGn

20210727:113503:TID=0048bc:Add       :Y714:C696:P:+    0vkZOHcCvOZAw6F3rQKJfS20f/gG9k6k93zUXE0DE0vDMCBrTjqguvo4HdX3QoFrv7FmgZRF2eT/H

20210727:113503:TID=0048bc:Add       :Y714:C696:P:+    Lp63LVhNgKHu7iBNlrlq76BjdezJUkGAm0xNHpA5oAP5Yv3CJiuprGLY4x2qGtZPmo2x7NYieq1rK

20210727:113503:TID=0048bc:Add       :Y714:C696:P:+    tW5zxdb5NJKZ9PvdJ0JZxollrDxEpEXPZFFlhvzLan6aCGZwKkWcBPUuLvocjXBNVr8Wl6lapRlaJ

20210727:113503:TID=0048bc:Add       :Y714:C696:P:+    T5VtjWHrQ9D7ldkYfEH3a5on81fZJPqiB5m9gVTk60qpKUlQv5AaVmxj...

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     eTNotifyState:  Complete

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     eTNotifyCreateTimet:  1627403703

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     eTNotifySequenceNo:  0000000006

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     eTNotifyProvOpDN:  eTGlobalUserName=quyentiger,eTGlobalUserContainerName=Glob

20210727:113503:TID=0048bc:Add       :Y714:C696:P:+    al Users,eTNamespaceName=CommonObjects,dc=im

20210727:113503:TID=0048bc:Add       :Y714:C696:P:     eTNotifyProvOp:  Modify_Global_User_Password

20210727:113503:TID=0048bc:Add       :Y714:C696:F: SUCCESS: Notify Add (eTNotifyOpID=3d9531ec-5f91-4aa0-978f-0dcde7e70aeb)

20210727:113503:TID=0048bc:Modify    :C696:E684:F: SUCCESS: Child Modify (eTGlobalUserName=quyentiger)

20210727:113503:TID=0005cc:EtaServer :----:----:I: Retrieving common BLS Connectivity Configuration

20210727:113503:TID=0048bc:Modify    :C696:E684:F:     msg: :ETA_S_0245<MGU>, Global User 'quyentiger' and associated account passwo

20210727:113503:TID=0048bc:Modify    :C696:E684:F:+rds updated successfully: