SecureLogin data not saved in AD
This document (7011616) is provided subject to the disclaimer at the end of this document.
User prompted to setup passphrase each time SecureLogin is launched. Passphrase not saved.
"BROKER_ACCESS_IS_DENIED(-372) error returned after entering credentials when prompted during initial execution of an Application Definition.
Protocom-SSO-Auth-Data attribute shows as “not set” in Users and Computers, properties of the user, “Attribute Editor” tab. Other Protocom-SSO-* attributes exist and have values as expected.
IMPORTANT NOTE: If setting "include inheritable" on a group, use a group other than "Domain Admins" or another protected group. If this setting is made on a protected group, it will be removed by Active Directory within an hour. The Microsoft Technet article at http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx provides a list of protected groups, and in the third paragraph states the following:
....the default behaviour is that inheritance is disabled on these privileged accounts, ensuring that permissions applied at the parent level aren't inherited by the protected objects, regardless of where they reside. Finally, the background process running every 60 minutes identifies manual modifications to an ACL and overwrites them so that the ACL matches the ACL on the AdminSDHolder object.
If including inheritable permissions does not resolve the problem, the following might help:
Rerun ADSchema.exe and when prompted for the place to assign rights point directly to the problem user.
Rerun ADSchema.exe on a primary domain controller while logged in as THE Administrator.
Delete the user's SecureLogin configuration in the management utility (shown below), then delete the users' local cache as described in “Fix 1” of TID 7006706 , and have them start over with SecureLogin. Where to delete the users's SecureLogin configuration:
4. Delete and recreate the users in AD.
Note: The "auth-data" attribute should always be set when a user has been activated for SecureLogin. This attribute is used to encrypt and decrypt SecureLogin data. With "auth-data" not set, SecureLogin would not be able to encrypt or decrypt data, and therefore not be able to read or write to the directory. When passphrases are used the value of this attribute is based on the passphrase; in environments where the passphrase is not used, it is based on the user name.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7011616
- Creation Date:11-JAN-13
- Modified Date:05-DEC-14
Did this document solve your problem? Provide Feedback