Environment
Novell Identity Manager Identity Manager 3.0
Novell Identity Manager Identity Manager 3.5
Novell Identity Manager Password Synchronization
Novell Identity Manager Remote Loader
Novell Identity Manager Identity Manager 3.5
Novell Identity Manager Password Synchronization
Novell Identity Manager Remote Loader
Situation
When attempting to view or manage Password Synchronization filters
from the Control Panel applet labeled "Identity Manager PassSync"
an error stating "Access Denied" is shown.
Error reading registry(5)
An error was encountered while querying for the status of the filter. (5) Access is denied.An error was encountered while querying for the status of the filter. (5) Access is denied.
Error reading registry(5)
An error was encountered while querying for the status of the filter. (5) Access is denied.An error was encountered while querying for the status of the filter. (5) Access is denied.
Resolution
Active Directory Driver
A few registry entries must be changed to restore normal
operation to the applet and password synchronization.
In HKLM\Software\Novell\PassSync is a REG_DWORD value named 'Driver Machine' with number 0 in it. On the server running the driver (engine or RL server) this value should be 1.
In HKLM\Software\Novell\PassSync\Data is a REG_MULTI_SZ value named'Domains' with the name of the domain with password synchronization enabled in DNS format. For example 'novell.com' (without quotation marks).
In HKLM\Software\Novell\PwFilter is a REG_MULTI_SZ value named'Host Names' (without quotation marks). The DNS name of the server running the driver should be entered in here. For example, 'domaincontroller0.novell.com' (without quotation marks).
Similar NT Driver Issue:
This error was seen on the NT Controller running IDM 3.5 as
well. The Password Filter was NOT picking up passwords and
placing them into the registry. Downgrading the
PWFILTER.DLL and PASSSYNCCONFIG.CPL to the versions that shipped
with IDM 3.01 resolved the issue. The error was no longer
received and it started capturing passwords.
Additional Information
This happens when the Identity Manager (IDM) documentation is not
followed properly, primarily when adding a password synchronization
filter to the Domain Controller (DC) running the IDM Active
Directory (AD) driver whether it be an engine or Remote Loader (RL)
server. After going into the Password Synchronization applet
and selecting the domain the administrator can click on 'Filters'
to see a list of all DCs in the domain. Selecting the server
with the driver and clicking 'Properties' brings up a new dialog
box that lets the driver be configured as if the box did not hold
the driver. This applet makes the assumption that the server
selected does not hold the driver because this is the wrong way to
configure the driver server. As a result a few registry
entries are changed which cause a change in code followed the next
time the applet is loaded leading to the Access Denied error.
Or it could occur if you are moving the Remote Loader from one server to another.
Or it could occur if you are moving the Remote Loader from one server to another.