AD MA - Initial password
Hi
We have a issue when we are trying to set the intial password with the AD MA.
FIM 2010 are RTM without any updates, and we are running against a Windows 2008R2 domain. We are able to create the user, but the user is disabled.
We are sending a static password and set the user to enable (512), everything is fine in FIM - but in the AD the user is disabled. We have checked that the MA user, has the rights that it needs, and that the password, that we are sending, meets the
requirements for the password policy. We assume that the AM does not set the password at all.
We are not able to see the attribute unicodePwd in the request, but we assume that is normal.
November 25th, 2010 5:56am
Are you sure you are flowing unicodePwd as "Initial Flow Only" and that the static password meets the AD password requirements?
It's completely normal that accounts that doesn't receive a password is created disabled.
//HenrikHenrik Nilsson, ILM/FIM MVP Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 6:52am
Are you sure you are flowing unicodePwd as "Initial Flow Only" and that the static password meets the AD password requirements?
It's completely normal that accounts that doesn't receive a password is created disabled.
//HenrikHenrik Nilsson, ILM/FIM MVP Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
November 25th, 2010 6:52am
Hi Henrik,
Yes, we are flowing the unicodePwd as "Initial Flow Only", and the password does meet the requirements, we have tested by adding a user manually with that password.
Mikkel
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 7:03am
Hi Henrik,
Yes, we are flowing the unicodePwd as "Initial Flow Only", and the password does meet the requirements, we have tested by adding a user manually with that password.
Mikkel
November 25th, 2010 7:03am
Are you using the FIM portal to configure the sync or do you use the FIMSync only?
How did you configure the initial password in provisioning? (Sync rule, or mvextension?)
Do you see the any errors in the import/sync/export/confirming import?
Did you check for Kerberos errors?
Is the FIM server time synced with the AD DC?
Kind regards,
PeterPeter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be)
[If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
By marking a post as Answered or Helpful, you help others find the answer faster.]
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 7:13am
Are you using the FIM portal to configure the sync or do you use the FIMSync only?
How did you configure the initial password in provisioning? (Sync rule, or mvextension?)
Do you see the any errors in the import/sync/export/confirming import?
Did you check for Kerberos errors?
Is the FIM server time synced with the AD DC?
Kind regards,
PeterPeter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be)
[If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
By marking a post as Answered or Helpful, you help others find the answer faster.]
November 25th, 2010 7:13am
Hi Peter,
We are using the FIM portal and outbound sync rules to create the user.
There are no erros in the import/sync/export/confirming import - the only change is the confirming import, where the attribute useraccountcontrol is 514 instead if 512, but that is the actual value in AD.
There are no kerberos erros or warnings in the security event log on the DC.
The FIM server are time synced with the DC.
Best regards,
Mikkel
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 8:03am
Hi Peter,
We are using the FIM portal and outbound sync rules to create the user.
There are no erros in the import/sync/export/confirming import - the only change is the confirming import, where the attribute useraccountcontrol is 514 instead if 512, but that is the actual value in AD.
There are no kerberos erros or warnings in the security event log on the DC.
The FIM server are time synced with the DC.
Best regards,
Mikkel
November 25th, 2010 8:03am
I had similar error couple of year ago with MIIS. can't remember exactly whether it was pwdLastSet attribute value
but for new users I have this in MapAttributesForExport
Case "pwdlastset"
If Not csentry.DN.ToString.Contains(ExceptionsUsersContainer) And mventry("employeeID").IsPresent Then
If Not csentry("pwdLastSet").IsPresent Then
csentry("pwdLastSet").Values.Add(0)
End If
End If
That means setting pwdlastset to 0 on initial flow may help.
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 8:45am
I had similar error couple of year ago with MIIS. can't remember exactly whether it was pwdLastSet attribute value
but for new users I have this in MapAttributesForExport
Case "pwdlastset"
If Not csentry.DN.ToString.Contains(ExceptionsUsersContainer) And mventry("employeeID").IsPresent Then
If Not csentry("pwdLastSet").IsPresent Then
csentry("pwdLastSet").Values.Add(0)
End If
End If
That means setting pwdlastset to 0 on initial flow may help.
November 25th, 2010 8:45am
and can we see an audit log from an export profile run for new account creation?
just to check whether 512 is really exported to AD.
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 8:48am
I'm not sure if it's required, but have you got the following set in your AD MA:
"Connect to Active Directory Forest" -> Sign and Encrypt LDAP traffic
"Configure Extension" -> "Pwd Management" -> (1) enable pwd mgmt, (2) settings -> check "require secure ...", i have retry count as 10, interval as 60
I copy pasted this from
http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b2d07c59-9e1a-4d1c-86c9-a6cd96a40aab
http://setspn.blogspot.com
November 25th, 2010 4:58pm
I'm not sure if it's required, but have you got the following set in your AD MA:
"Connect to Active Directory Forest" -> Sign and Encrypt LDAP traffic
"Configure Extension" -> "Pwd Management" -> (1) enable pwd mgmt, (2) settings -> check "require secure ...", i have retry count as 10, interval as 60
I copy pasted this from
http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b2d07c59-9e1a-4d1c-86c9-a6cd96a40aab
http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 4:58pm
Hi all,
The problem has been solved.
We have a firewall between the DC and FIM - and we had to open for port 464 (UDP and TCP) in order to set the password.
Thanks for all the feedback!
November 26th, 2010 3:17am