IDM AD Password sync fails after updating password filter.

  • 7024669
  • 04-Jun-2020
  • 11-Sep-2021

Environment

Identity Manager 4.7
Identity Manager 4.5

Situation

Customer has two IDM environments where passwords are synced from a single Active Directory Domain.
Both IDM instances were IDM version 4.5


After upgrading one environment to IDM 4.7, including the Remote Loader and password filter, AD password sync worked to the IDM 4.7 instance but no longer worked to the IDM 4.5 instance. The following error was seen in the IDM 4.5 remote loader AD driver trace.

DirXML: [06/04/20 14:02:56.36]: ADDriver: [PWD] PwdCrypt::DecryptObjectPassword() obtained handle successfully
DirXML: [06/04/20 14:02:56.36]: ADDriver: [PWD] PwdCrypt::DecryptObjectPassword() returned 0x8009000A
DirXML: [06/04/20 14:02:56.36]: ADDriver: [PWD 4664] GetPasswordInformation() - close the cache entry.
DirXML: [06/04/20 14:02:56.36]: ADDriver: [PWD 4664] PassSyncCache::GetPasswordInformation() returned 0x8009000A
DirXML: [06/04/20 14:02:56.36]: ADDriver: [PWD 4664] PassSyncCache::FreeSyncData()
DirXML: [06/04/20 14:02:56.36]: ADDriver: [PWD 4664] PassSyncCache::FreeSyncData() returned.
DirXML: [06/04/20 14:02:56.36]: ADDriver: [PWD 4664] GetPwdInfo() - an error occurred ... freeing the allocated memory.


The Remote Loader and the pwfilter used by the IDM 4.5 instance were upgraded to IDM 4.7 but the problem persisted.

Resolution

The pwfilter used by IDM AD passsync is somewhat tied to the AD driver version.
In this case, the IDM 4.5 remote loader and previously been upgraded from IDM 4.02 but the AD Driver had never been upgraded from version 4.0.0.0
The current version of the AD driver for IDM 4.5 is version 4.0.3.
Apply the patch to the IDM 4.5 remote loader resolved the problem.

Cause

pwFilter and AD Driver version compatibility.