Symantec IGA

 View Only
  • 1.  Failed to activate connector type on proxy connector server

    Posted Dec 06, 2024 02:30 PM

    Hi Community.

    We're facing an issue when we try to provision accounts to AD endpoint. We downloaded and installed the patch to upgrade our CCS from v14.4.2 to v14.5. When we installed it in our CCS (External/Windows) machine, it finished successfully. But when we tested a provisioning task, the connection between IDM and External CS began to fail with the error showed in the image below:

    :ETA_E_0016<AAC>, Account for Global User 'c799070112' on Active Directory Endpoint 'AD_Produccion' creation failed: :ETA_E_0004<AAC>, Active Dir. Account 'andragag' on 'AD_Produccion' creation failed: Connector Server Add failed: code 53 (UNWILLING_TO_PERFORM): failed to add entry eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@SRCAIDSTRPD02: Failed to activate connector type on proxy connector server: JCS@SRCAIDSTRPD02: Failed to connect to proxy connector server: ldap://localhost:20402 (ldaps://10.208.24.145:20411)

    Additionaly we tested by uninstalling the previous version of our C++ Connector Server (Windows/External), the one which we applied the patch to upgrade to v14.5, and then we installed the new version of the Connector Server (clean install v14.5), but the result was the same. We're still facing the same error when we try to provision accounts to AD.

    Please your help on this.

    Thanks in advance.



  • 2.  RE: Failed to activate connector type on proxy connector server

    Posted Dec 07, 2024 02:32 PM

    Mauricio,

    First off are you running the same version of IDM as the CCS Server you patched too? If you are runnig 14.4.2 IDM and trying to use CCS 14.5 that will be one problem as there were some updates that will cause a problem. You must stay back on 14.4.2 if that is the version of IDM you running. Plus there is a CP now on top of that to bring it to 14.5.1. Now if you are running 14.5 IDM then there are some question here:

    1. From PM can you connect to your endpoint and show content? (ie. can you see accounts, OU's etc)
    2. If so are you using an account template to provision the account template to provision the account?
    3. Do you have SSL connectivity between your CCS server and AD Servers? (This is required to set passwords)
    4. Are you doing anything with Exchange on prem?
    5. Was this the same error you were getting with the 14.4.2 version of CCS>

    Based off the error you got back it looks like CCS is trying to do something AD is rejecting. This would be like using a template with some data requirement, like Exchange, and missing the data needed to populate attributes. This error can occur if you trying to set a password over NOT SSL connection to AD, it will NOT allow that to occur.

    Some more info will help to point you in right direction but this definitely seems an AD permissions issues.

    Anthony




  • 3.  RE: Failed to activate connector type on proxy connector server

    Posted Dec 13, 2024 02:24 PM
    Edited by Alan Baugher Dec 14, 2024 04:54 AM

    Mauricio,

    Suggest you enable full text logging, so you can capture the data flow in JCS ADS logs and the CCS ADS logs to see the root-cause.

    Install Microsoft Sysinternals Process Explorer tool, and monitor the JCS when it starts, and confirm that it (and only it) starts the CCS service.
    - The JCS must have full knowledge of the CCS cache status, and it will only have that if it is the service that restart (and stops) the CCS service.
    - If the two (2) services are disjointed via different install packages, you may be experiencing this behavior based on the error message you have shown.

    Here is a view of using MS Sysinternal Process Explorer tool.

    • And using MS Powershell to count the number of CCS-> ADS connections during testing (bulk and performance).

    • If you have issues with this behavior, then uninstall the JCS package; reboot; Install the JCS package with the embedded CCS service cleanly.   Confirm that the JCS can stop & start the CCS service.    Important:  The JCS service is set to "automatic" start.   The CCS service is set to "manual" start.  Do NOT change this behavior.  JCS must start this service to be aware the CCS cache status.

    A view of the CCS cache.  After it has been populated by the JCS service.

    - You can connect via ldap to this service on TCP 20402.



    Validate the etpki library update has happen, if you are at release 14.5 (or higher).   If this is NOT done, then the JCS will not be able to start up the CCS service.

    A) Open administrator command line window for ETPKI install and type:  (these must be executed at the CLI)
       Warning Note:  setup.exe will NOT return any visual response.
     
         setup.exe install caller=IMPSSERVER  veryverbose
         setup.exe install caller=IMPSMANAGER veryverbose
     
    B) To confirm success - open C:\users\XXXXXX\appdata\local\temp\etpki_install.log and confirm status code 0.
     
         -  May type %TEMP% within a command line window or MS Windows Explorer window to jump to this folder.
          -  Also you may view MS Registry for string added with version for etpki to check the version was updated.   
         HKLM\SOFTWARE\WOW6432Node\ComputerAssociates\Shared\CAPKI5\Dependencies\     


    ##### #####

    As Anthony mentioned, if you have mixed release versions between different components of the solution stack, you may experience different behavior (ekpki encryption libraries & jars in the JCS have been updated between releases).


    Hope this help with your RCA efforts.


    Cheers,



    ------------------------------
    Alan Baugher
    ANA
    ------------------------------