7018092: Active Directory Password Checkout – LDAP modify failed, error 53 (Server is unwilling to perform)

This document (7018092) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Privileged Account Manager

Microsoft Active Directory LDAP

Situation

Unable to check-in password with Microsoft Active Directory (AD) LDAP

Password Checkout for Active Directory Application over LDAP is not working

Using the checked-out password reports invalid credentials, account name / password

MyAccess reports Failed Check-in to user

The following appears in the Debug unifid.log when attempting check-in:

Warning, LDAP modify failed, error 53 (Server is unwilling to perform)

Error, LDAP modify failed – 182553

Resolution

Microsoft Active Directory (AD) may have requirements that are preventing the password change from taking place. This error means the destination LDAP server is not allowing this password change to go through. While there might several reasons for this error to be returned from the LDAP server, here are some common Microsoft Active Directory explanations / requirements:

  1. Microsoft AD may impose some strength requirements on the password. In order to conform to these requirements, a password policy must be created and assigned to the application account domain in the Enterprise Credential Vault. For more details about this process, please refer to documentation:
  • Microsoft AD may only accept password changes over secure connections (SSL, ldap port 636). Verify the Active Directory Application Account Domain in the Enterprise Credential Vault has been configured to have SSL enabled and to use the correct port.

    Note: By default, LDAPS://connections use port 636 for SSL.

  • Microsoft AD requires that the client must bind as a user with sufficient permissions to modify another user’s password. In this case, the proxy credential provided to PAM in the AD LDAP Account Domain of the Enterprise Credential Vault must have sufficient permissions to modify another user’s password. According to Microsoft, “the password is stored in the AD and LDS database on a user object in the unicodePwd attribute.”

  • Cause

    Microsoft Active Directory (AD) is denying the LDAP modify request because the request violates certain requirements / criteria determined by the Microsoft AD Domain Controller.

    Additional Information

    For more information from Microsoft on these certain restrictions, please refer to How to change a Windows Active Directory and LDS user password through LDAP.

    Disclaimer

    This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

    Related:

    • No Related Posts

    7020983: IDM Passsync Troubleshooting Tool is denied access to registry key.

    This document (7020983) is provided subject to the disclaimer at the end of this document.

    Environment

    Identity Manager 4.6
    Active Directory Password Synchronization

    Situation

    Using the Passsync Troubleshooting Tool to check Active Directory Password Synchronization.
    This tool is a windows executable and can be found on the install media in the setuputilitiesPassSyncTroubleshootingTool folder.

    When running the Domain Controller Check, the following error is generated

    Error occurred while opening the registry key[SOFTWARENOVELLPWFILTERDATA]. Access is denied.

    This happens even when using the Domain Administrator account

    Resolution

    Run regedit and right click on the key
    HKLMSoftwareNovellPwFilterData
    and select Permissions.
    Select the Advanced option and add the Administrators Group.
    Set the Read permission.
    Make sure the box labeled “Replace all child object permission entries with inheritable permission entries from this object”
    is checked.

    Cause

    This registry key is protected by a trusted installer. By default, Administrator does not have the read permission.

    Disclaimer

    This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

    Related:

    Event ID 8256 — Windows to UNIX Password Synchronization Service Availability

    Event ID 8256 — Windows to UNIX Password Synchronization Service Availability

    Updated: November 14, 2007

    Applies To: Windows Server 2008

    Windows to UNIX Password Synchronization Service Availability indicates the operational state of the Windows to UNIX password synchronization service and its availability to synchronize user account passwords to the UNIX environment that are changed in the Windows environment.

    When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user’s password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

    Generally, the service is available if it has read and modify permissions in the Windows Registry, and if the computer on which Password Synchronization is installed remains an Active Directory® Domain Services domain controller.

    Event Details

    Product: Windows Identity Management for UNIX
    ID: 8256
    Source: Microsoft-Windows-IDMU-PSync
    Version: 6.0
    Symbolic Name: MSG_ERROR_REG_NOTIFY_KEY_CHANGE
    Message: Error completing registry key change notification. Error=%1.

    Resolve
    Restart the Windows-based computer

    Very rarely, Password Synchronization reports that an internal application error occurred with the SetNotify function call, and that the Windows to UNIX Password Synchronization Service cannot operate normally. Restarting the Windows-based computer on which Password Synchronization is installed typically clears the error.

    To restart the computer:

    • Click Start, click the arrow next to the Lock button, and then click Restart.

    Verify

    The Windows to UNIX password synchronization service is functioning normally in the absence of any of the following messages in Event Viewer. If any of the following messages are logged in Event Viewer, the service cannot function normally.

    • IDMU Password Synchronization event 16388
    • IDMU Password Synchronization event 8194
    • IDMU Password Synchronization event 8193

    Related Management Information

    Windows to UNIX Password Synchronization Service Availability

    Identity Management for UNIX

    Related:

    Event ID 8193 — Windows to UNIX Password Synchronization Service Availability

    Event ID 8193 — Windows to UNIX Password Synchronization Service Availability

    Updated: November 14, 2007

    Applies To: Windows Server 2008

    Windows to UNIX Password Synchronization Service Availability indicates the operational state of the Windows to UNIX password synchronization service and its availability to synchronize user account passwords to the UNIX environment that are changed in the Windows environment.

    When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user’s password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

    Generally, the service is available if it has read and modify permissions in the Windows Registry, and if the computer on which Password Synchronization is installed remains an Active Directory® Domain Services domain controller.

    Event Details

    Product: Windows Identity Management for UNIX
    ID: 8193
    Source: Microsoft-Windows-IDMU-PSync
    Version: 6.0
    Symbolic Name: MSG_ERROR_READING_CONFIG
    Message: Failure reading Password Synchronization configuration. %rApply configuration changes again and if the problem persists, verify that Password Synchronization has been configured in accordance with guidance in the Password Synchronization Help.

    Resolve
    Fix registry error

    Password Synchronization encountered an error reading or writing to a specific Windows registry key. Open Event Viewer and read the associated error message, which describes the root cause of this error.

    Confirm that the computer running Password Synchronization has access permissions to the Windows registry by doing the following:

    1. Open the Registry Editor.
      • Click Start, click Run, type regedit in the Open text box, and then click OK.
    2. In the hierarchy pane, navigate to the registry key identified by the error message.
    3. If the error message does not show the path to the registry key on which the problem occurred, navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Identity Management.
    4. With the key highlighted, click Permissions on the Edit menu to open the Permissions for Registry Key dialog box.
    5. Verify that the user SYSTEM has Full Control permissions.
    6. Click Add to add the SYSTEM user if it is not already listed in the Group or user names list on the Security tab. If needed, assign Full Control permissions to SYSTEM in the Permissions for User list.
    7. Click OK. Close the Registry Editor.

    Verify

    The Windows to UNIX password synchronization service is functioning normally in the absence of any of the following messages in Event Viewer. If any of the following messages are logged in Event Viewer, the service cannot function normally.

    • IDMU Password Synchronization event 16388
    • IDMU Password Synchronization event 8194
    • IDMU Password Synchronization event 8193

    Related Management Information

    Windows to UNIX Password Synchronization Service Availability

    Identity Management for UNIX

    Related:

    Event ID 4096 — Windows to UNIX Password Synchronization Service Availability

    Event ID 4096 — Windows to UNIX Password Synchronization Service Availability

    Updated: November 14, 2007

    Applies To: Windows Server 2008

    Windows to UNIX Password Synchronization Service Availability indicates the operational state of the Windows to UNIX password synchronization service and its availability to synchronize user account passwords to the UNIX environment that are changed in the Windows environment.

    When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user’s password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

    Generally, the service is available if it has read and modify permissions in the Windows Registry, and if the computer on which Password Synchronization is installed remains an Active Directory® Domain Services domain controller.

    Event Details

    Product: Windows Identity Management for UNIX
    ID: 4096
    Source: Microsoft-Windows-IDMU-PSync
    Version: 6.0
    Symbolic Name: MSG_STARTUP_INFO
    Message: Password Synchronization service between Windows and UNIX was started.

    Resolve

    This is a normal condition. No further action is required.

    Related Management Information

    Windows to UNIX Password Synchronization Service Availability

    Identity Management for UNIX

    Related:

    The name %1 cannot be used for registration on Active Directory and DNS. It should fit Windows requirements and cannoy be equal to the computer name.

    Details
    Product: BizTalk Server
    Event ID: 7460
    Source: BizTalk Server 3.0
    Version: 3.0.4604.0
    Message: The name %1 cannot be used for registration on Active Directory and DNS. It should fit Windows requirements and cannoy be equal to the computer name.
       
    Explanation
    The computer name used for the Active Directory and/or the DNS registration does not fit the computer name requirements.
       
    User Action
    Refer to the documentation for the maximum length and legal characters for computer names.

    Related:

    BizTalk HTTP receive adapter failed to initialize itself. Possible reasons:1) Receive location URL is not created/configured correctly2) Receive location is not enabled3) HTTP receive adapter is not running under a user that has access to management and message databases4) Isolated host instance is not created for HTTP Receive adapter.

    Details
    Product: BizTalk Server
    Event ID: 5888
    Source: BizTalk Server 3.0
    Version: 3.0.4604.0
    Message: BizTalk HTTP receive adapter failed to initialize itself. Possible reasons:1) Receive location URL is not created/configured correctly2) Receive location is not enabled3) HTTP receive adapter is not running under a user that has access to management and message databases4) Isolated host instance is not created for HTTP Receive adapter.
       
    Explanation

    BizTalk Server 2004 HTTP listener failed to initialize.

    Possible reasons: Receive location URL is not created or configured correctly. Receive location is not enabled. HTTP listener is not running under a user that has access to the management an

    Related:

    Failed while connecting to the BizTalk management database. Please verify that the Windows account used by the BizTalk Windows service has sufficient permissions to access the management database.

    Details
    Product: BizTalk Server
    Event ID: 5458
    Source: BizTalk Server 3.0
    Version: 3.0.4604.0
    Message: Failed while connecting to the BizTalk management database. Please verify that the Windows account used by the BizTalk Windows service has sufficient permissions to access the management database.
       
    Explanation
    This event occurs when the NT service fails to connect to the BizTalk Server Management database.
       
    User Action
    Verify that the Windows account used by the BizTalk Windows service has sufficient permissions to access the management database.

    Related: