Environment
Novell Identity Manager 3.5.1
Novell Identity Manager 3.5.1 GroupWise Driver shim running on Windows
GroupWise 8 system running on NetWare 6.5
Novell Identity Manager 3.5.1 GroupWise Driver shim running on Windows
GroupWise 8 system running on NetWare 6.5
Situation
GroupWise Driver startup fails with one of the stacks shown below:
Stack 1:
at com.novell.gw.directory.GwInitialContextFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at com.novell.gw.dirxml.driver.common.GWengine.initGroupWise(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.init(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.execute(Unknown Source)
at com.novell.gw.dirxml.driver.gw.GWdriverShim.init(Unknown Source)
at com.novell.nds.dirxml.remote.loader.Driver.startDriver(Driver.java:361)
at com.novell.nds.dirxml.remote.loader.Driver.driverStart(Driver.java:90)
at com.novell.nds.dirxml.remote.loader.RemoteLoader.run(RemoteLoader.java:950)
at java.lang.Thread.run(Thread.java:595)
Stack 2:
javax.naming.ServiceUnavailableException
at com.novell.gw.directory.GwInitialContextFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at com.novell.gw.dirxml.driver.common.GWengine.initGroupWise(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.init(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.execute(Unknown Source)
at com.novell.gw.dirxml.driver.gw.GWdriverShim.init(Unknown Source)
at com.novell.nds.dirxml.remote.loader.Driver.startDriver(Driver.java:361)
at com.novell.nds.dirxml.remote.loader.Driver.driverStart(Driver.java:90)
at com.novell.nds.dirxml.remote.loader.RemoteLoader.run(RemoteLoader.java:950)
at java.lang.Thread.run(Thread.java:595)
Stack 3:
javax.naming.AuthenticationException: Authentication to \\10.0.0.10\sys\gwdo failed. Logon failure: the user has not been granted the requested logon type at this computer.
at com.novell.gw.directory.GwInitialContextFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at com.novell.gw.dirxml.driver.common.GWengine.initGroupWise(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.init(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.execute(Unknown Source)
at com.novell.gw.dirxml.driver.gw.GWdriverShim.init(Unknown Source)
at com.novell.nds.dirxml.remote.loader.Driver.startDriver(Driver.java:361)
at com.novell.nds.dirxml.remote.loader.Driver.driverStart(Driver.java:90)
at com.novell.nds.dirxml.remote.loader.RemoteLoader.run(RemoteLoader.java:950)
at java.lang.Thread.run(Thread.java:595)
Stack 1:
at com.novell.gw.directory.GwInitialContextFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at com.novell.gw.dirxml.driver.common.GWengine.initGroupWise(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.init(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.execute(Unknown Source)
at com.novell.gw.dirxml.driver.gw.GWdriverShim.init(Unknown Source)
at com.novell.nds.dirxml.remote.loader.Driver.startDriver(Driver.java:361)
at com.novell.nds.dirxml.remote.loader.Driver.driverStart(Driver.java:90)
at com.novell.nds.dirxml.remote.loader.RemoteLoader.run(RemoteLoader.java:950)
at java.lang.Thread.run(Thread.java:595)
Stack 2:
javax.naming.ServiceUnavailableException
at com.novell.gw.directory.GwInitialContextFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at com.novell.gw.dirxml.driver.common.GWengine.initGroupWise(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.init(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.execute(Unknown Source)
at com.novell.gw.dirxml.driver.gw.GWdriverShim.init(Unknown Source)
at com.novell.nds.dirxml.remote.loader.Driver.startDriver(Driver.java:361)
at com.novell.nds.dirxml.remote.loader.Driver.driverStart(Driver.java:90)
at com.novell.nds.dirxml.remote.loader.RemoteLoader.run(RemoteLoader.java:950)
at java.lang.Thread.run(Thread.java:595)
Stack 3:
javax.naming.AuthenticationException: Authentication to \\10.0.0.10\sys\gwdo failed. Logon failure: the user has not been granted the requested logon type at this computer.
at com.novell.gw.directory.GwInitialContextFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at com.novell.gw.dirxml.driver.common.GWengine.initGroupWise(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.init(Unknown Source)
at com.novell.gw.dirxml.driver.common.GWengine.execute(Unknown Source)
at com.novell.gw.dirxml.driver.gw.GWdriverShim.init(Unknown Source)
at com.novell.nds.dirxml.remote.loader.Driver.startDriver(Driver.java:361)
at com.novell.nds.dirxml.remote.loader.Driver.driverStart(Driver.java:90)
at com.novell.nds.dirxml.remote.loader.RemoteLoader.run(RemoteLoader.java:950)
at java.lang.Thread.run(Thread.java:595)
Resolution
The errors mentioned above can be a result of several different causes. The root cause usually boils down to rights issues in one of several different locations.
Prior to troubleshooting the issue there are two pre-requisites that should be met. The windows server that the shim is running on requires the Novell Client, (4.9.1 or later), and Microsoft's visual C redistributable version 2005 SP1 or later.
The GroupWise driver shim that ships with IDM 3.5.1 does not support GroupWise 8, so the latest GroupWise driver patch needs to be applied before performing any troubleshooting.
In order to fix this issue you must follow each of the steps below, in order, and test the driver after each change is performed.
01) Make sure there is a local Windows user where the GroupWise Driver shim is running with the same name as the eDirectory user set in the driver's "Authentication ID" field. Make sure both users have exactly the same password. NOTE: local Windows user is not an AD Domain user, do not mix both!
02) Make sure that the local Windows user can Log on as a service.
02.1) If the Windows 2003 server is a stand-alone server: To check/give him the proper rights, go to Start > Administrative Tools > Local Security Policy . On the tool that will open, go to Security Settings > Local Policies > User Rights Assignment and check the "Log on as a service" policy. If the user is not listed there, edit the policy and add the user to it.
02.2) If the Windows 2003 server is a DC (Domain Controller): To check/give him the proper rights, go to Start > Administrative Tools > Domain Security Policy . On the tool that will open, go to Security Settings > Local Policies > User Rights Assignment and check the "Log on as a service" policy. If the user is not listed there, edit the policy and add the user to it.
03) Check if the local Windows user is a member of the local Administrators group. To check/grant him the proper membership, go to Start > Administrative Tools > Computer Management . On the tool that will open, go to Computer Management(local) > Local Users and Groups > Groups , then right-click the 'Administrators' group and check if your user is a member. If not, hit the Add button and add him there.
04) Log on to the NetWare server from the Windows server's Novell Client, with the same eDirectory user listed in the "Authentication ID" field of the Groupwise driver. If the authentication fails, troubleshoot the problem and fix its root cause.
05) After performing a logon to eDirectory, go to Start > Run , then type the UNC path to your GroupWise Primary domain directory. For example: \\10.0.0.10\sys\gwdo , where 10.0.0.10 is the IP of the NetWare server (names can be used if DNS is working properly in your environment), sys is the volume on the Netware server and gwdo is the directory where the GroupWise domain's wpdomain.db file resides. An explorer window should open showing the contents of that directory. If it doesn't, troubleshoot and fix the issue, then test again.
06) Make sure the eDirectory user used in the "Authentication ID" field of the GroupWise driver has rights to read, write and create files in the directory where you GroupWise primary domain resides, as well as its sub-directories.
07) Make sure the eDirectory user used in the "Authentication ID" field of the GroupWise driver has Supervisor rights to your GroupWise Objects in eDirectory.
08) Each GroupWise driver shim ships with a set of GroupWise system files. Make sure you are using the files provided with the shim instead of files provided with GroupWise software. Those files reside either under the directory where your remote loader was installed (if the driver is using remote loader) or under the directory where your eDirectory files where installed (if the driver is not using remote loader).
09) Find the file gwenv1.dll used by the driver shim. It will be either under the directory where your remote loader was installed (if the driver is using remote loader) or under the directory where your eDirectory files where installed (if the driver is not using remote loader). Right-click that file, select 'properties' and go to the Version tab. Select the "File version" Item and take note of its value.
10) Make sure that the setting "Lock Out Older GroupWise Administration Snapins" in your GroupWise primary domain is either unchecked or has a value that is less than or equal to the "File Version" checked in step 09. To access that property use ConsoleOne with the GroupWise snap-ins, connect to your primary GroupWise domain, then click on your tree's name. Then from the menu bar select: Tools > GroupWise System Operations > System Preferences . On the window that will open, click on Admin Lockout Settings.
At this point your GW driver should be working and connecting to the GroupWise domain, or at least the error message/Java stack should have changed.
Prior to troubleshooting the issue there are two pre-requisites that should be met. The windows server that the shim is running on requires the Novell Client, (4.9.1 or later), and Microsoft's visual C redistributable version 2005 SP1 or later.
The GroupWise driver shim that ships with IDM 3.5.1 does not support GroupWise 8, so the latest GroupWise driver patch needs to be applied before performing any troubleshooting.
In order to fix this issue you must follow each of the steps below, in order, and test the driver after each change is performed.
01) Make sure there is a local Windows user where the GroupWise Driver shim is running with the same name as the eDirectory user set in the driver's "Authentication ID" field. Make sure both users have exactly the same password. NOTE: local Windows user is not an AD Domain user, do not mix both!
02) Make sure that the local Windows user can Log on as a service.
02.1) If the Windows 2003 server is a stand-alone server: To check/give him the proper rights, go to Start > Administrative Tools > Local Security Policy . On the tool that will open, go to Security Settings > Local Policies > User Rights Assignment and check the "Log on as a service" policy. If the user is not listed there, edit the policy and add the user to it.
02.2) If the Windows 2003 server is a DC (Domain Controller): To check/give him the proper rights, go to Start > Administrative Tools > Domain Security Policy . On the tool that will open, go to Security Settings > Local Policies > User Rights Assignment and check the "Log on as a service" policy. If the user is not listed there, edit the policy and add the user to it.
03) Check if the local Windows user is a member of the local Administrators group. To check/grant him the proper membership, go to Start > Administrative Tools > Computer Management . On the tool that will open, go to Computer Management(local) > Local Users and Groups > Groups , then right-click the 'Administrators' group and check if your user is a member. If not, hit the Add button and add him there.
04) Log on to the NetWare server from the Windows server's Novell Client, with the same eDirectory user listed in the "Authentication ID" field of the Groupwise driver. If the authentication fails, troubleshoot the problem and fix its root cause.
05) After performing a logon to eDirectory, go to Start > Run , then type the UNC path to your GroupWise Primary domain directory. For example: \\10.0.0.10\sys\gwdo , where 10.0.0.10 is the IP of the NetWare server (names can be used if DNS is working properly in your environment), sys is the volume on the Netware server and gwdo is the directory where the GroupWise domain's wpdomain.db file resides. An explorer window should open showing the contents of that directory. If it doesn't, troubleshoot and fix the issue, then test again.
06) Make sure the eDirectory user used in the "Authentication ID" field of the GroupWise driver has rights to read, write and create files in the directory where you GroupWise primary domain resides, as well as its sub-directories.
07) Make sure the eDirectory user used in the "Authentication ID" field of the GroupWise driver has Supervisor rights to your GroupWise Objects in eDirectory.
08) Each GroupWise driver shim ships with a set of GroupWise system files. Make sure you are using the files provided with the shim instead of files provided with GroupWise software. Those files reside either under the directory where your remote loader was installed (if the driver is using remote loader) or under the directory where your eDirectory files where installed (if the driver is not using remote loader).
09) Find the file gwenv1.dll used by the driver shim. It will be either under the directory where your remote loader was installed (if the driver is using remote loader) or under the directory where your eDirectory files where installed (if the driver is not using remote loader). Right-click that file, select 'properties' and go to the Version tab. Select the "File version" Item and take note of its value.
10) Make sure that the setting "Lock Out Older GroupWise Administration Snapins" in your GroupWise primary domain is either unchecked or has a value that is less than or equal to the "File Version" checked in step 09. To access that property use ConsoleOne with the GroupWise snap-ins, connect to your primary GroupWise domain, then click on your tree's name. Then from the menu bar select: Tools > GroupWise System Operations > System Preferences . On the window that will open, click on Admin Lockout Settings.
At this point your GW driver should be working and connecting to the GroupWise domain, or at least the error message/Java stack should have changed.