Symantec IGA

Expand all | Collapse all

Password synchronisation AD -> Prov Store

Jump to Best Answer
  • 1.  Password synchronisation AD -> Prov Store

    Posted 05-30-2017 04:09 AM

    Hi,

     

    I have a problem with the password synchronisation agent installed on the AD DC.

     

    when configuring the AD Endpoint, I verified that "Password Synchronisation agent is installed" is  checked.

    Add to that, I installed the agent in the  AD DC and I verified that the "eTpropagatePassword" is on 1 .

     

    the network flow is verified too.

    But when I reset a password in the AD, there is nothing going to the provisioning server.

    Have you an idea please about that ?

     

    Remark: C:\Program Files (x86)\CA\eTrust Admin Password Sync Agent\Logs  is empty.

    Thanks.

     

    Regards,

    Hassen NASRI



  • 2.  Re: Password synchronisation AD -> Prov Store
    Best Answer

    Broadcom Employee
    Posted 05-30-2017 10:24 AM

    Hassen,

     

    Doc located here:
    https://docops.ca.com/ca-identity-manager/12-6-8/EN/administrating/password-management/synchronizing-passwords-on-endpoints/password-synchronization-on-windows#PasswordSynchronizationonWindows-HowtheEnable/DisablePasswordSyncWorks


    First check that a reboot has been performed post install:
    How the Enable/Disable Password Sync Works
    When the Password SYNC Agent is installed on a Domain Controller, the Agent gets registered in the Domain Controller's Local Security Authority Notification Package in the registry, and the DLL loads on reboot. The Domain Controller is a specific Active Directory machine where the password sync agent is installed. This agent is a DLL, and it acts as a Microsoft password filter that allows CA Identity Manager to run its own code. For example, the Agent calls into CA Identity Manager to change the users password.


    Then Check if the agent is enabled:
    [Main]
    ;; The following parameter allows to enable/disable Password Sync. Agent.
    ;; The default value for the flag is 'yes'.
    ;; pwd_sync_enable=no


    Then check if logging is enabled:
    You may also have logging_enabled=no, change this to yes, and try to reset a password.

     

    Thanks,

    Bill Patton



  • 3.  Re: Password synchronisation AD -> Prov Store

    Posted 05-31-2017 09:37 AM

    Hi,

    Thanks Bill for your reply.

    I verified those parameters and they are already well setted ( value =1).

    Add to that,  logging_enabled is enabled but there is no log files ... 

    Regards



  • 4.  Re: Password synchronisation AD -> Prov Store

    Broadcom Employee
    Posted 06-01-2017 07:16 AM

    Boulharts,

      That being the case, then it must be that the Domain Controller was not rebooted post install.

         Reboot that domain controller to pick up the psych dll

         Make sure that the logon server is set to that domain control (from windows cmd prompt type "set L" that will show the logon server)

     

         If this does not work, then a support ticket will be required.

     

    Bill