Troubleshooting Password Synchronization Issues
Novell Cool Solutions: Feature
Digg This -
Posted: 22 Jul 2004
The following steps cover most of the problems seen in synchronizing passwords in Nsure Identity Manager 2.0 systems.
- In iManager under Password Management, Password Synchronization, search the tree for Drivers, then check the setting for each driver. Make sure that the setting 'DirXML Accepts Passwords' is marked and also that 'Application Accepts Passwords' is also marked. This will allow passwords to go both ways.
- In the Password Policy for the user, make sure that the option 'Synchronize Distribution Password when setting Universal Password' is set to true.
- Make sure that users have a Universal Password Policy in place. Remember that a Password policy must be assigned to a user, to a container holding the user, to the root container of the partition holding the user, or to the Login Policy object (this policy effects all users in the tree). A Password policy will not flow down to other sub OU's unless it is located at the root of the partition.
- Make sure that password Filters are installed on all Active Directory Domain Controllers, however for NT, Filters should only be installed on the Primary Domain Controller.
- Make sure that the universal password is set for users before migrating them to another platform. If this is not done, the users password will be set as specified in the Driver. By default for AD, this means the users last name.
- Make sure that the Novell Clients are updated to 4.90 SP1a or later, otherwise the client will only set the NDS password, not the Universal one. Also, when installing the Novell client, make sure that the Novell NMAS client is installed on the workstation. This can be verified by checking Add/Remove Programs under the Control Parnell to see if NMAS client is installed. The latest NMAS client can be downloaded from Novell's support site.
- Make sure that the Administrative ID value on the properties of the driver is set to Administrator (or whatever name the administrator user in AD was changed too). Also make sure that the Authentication context: is blank. Finally, make sure that the Authentication Method value is set to 'negotiate'. Example: Administrator. Do not enter in the full name as in Administrator@mydomain.com.
- A user may come across to AD but the account is disabled. This occurs if you create a user in AD without a password or try to use a password that doesn't conform to the Windows password policy then the user will be locked.
- To obtain a trace that shows a password change occurring, set the DSTRACE level to 5 for the driver. This will never show the password or any password requirements. It will just show that a password change has been processed for a particular user.
For details and updates related to this tip, please see TID-10092687.