If user changes password in MS AD the password is not arriving in IM side.

Release : 14.4

Component : IdentityMinder(Identity Manager)

Password Synchronization Agent installed in MS AD Domain Controllers is with errors.

Password Sync Agent Log that the Global User used to update password from MS AD to Provisioning Server  was getting the LDAP error: Invalid credentials always when a user is trying to change password from AD. So the password was not going to IM side.

So we went in Provisioning manager and tried to authenticate with that user  and got the ETA_E_0418<BGU>, Bind to provisioning server as '<Global User to bind from Psync to Provisioning Server>' failed: Password expiration date has passed.

So adjusted the password of user '<Global User to bind from Psync to Provisioning Server>' in Provisioning manager and ran the  PwdSyncConfig.exe program on MS DC to test the password.

Now the connection from Psync to IM is good.

1. Go to Windows Workstation of user and issue the command set | find "LOGONSERVER"
This will show the name of DC that user is logged in.
2. Go to this server to see if have Password Synchronization Agent installed. Go to Uninstall or change program and see in the list if have eTrust Admin Password Synchronization Agent.
3. Go to installation location under Program Files/CA/eTrust Admin Password Sync Agent/logs and check the log file eta_pwdsync.log
4. Look in the log for errors the user name that tried the password. If find ldap_simple_bind() failed while connecting to 'ldaps://Provisioning server hostname:20389 followed by "LDAP error: Invalid credentials" this may indicate the password problem in the user that changes the passwords from AD to Provisioning Server.
5. Check some lines if have the Reason: Administrator DN: 'eTGlobalUserName=<Global User Name>,eTGlobalUserContainerName=Global User,eTNamespaceName=CommonObjects,dc=im,dc=eta'. This line shows the user that we have the password problem;
6. If you known the password of this user try to login in Provisioning Manager with this user. If passwords expired you can see a ETA_E_0418 error telling that Password expiration date has passed. Adjust again the user password in Provisioning Manager.
7. To test if Password Sync Agent will bind you can use the tool PwdSyncConfig.exe in the bin folder of Agent to configure again the agent and test if password now is good.