• State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 93 subscribers
  • Views 4218 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue saving DGE service account in manager 7.1.2

pacman_d
over 6 years ago

Hey Folks,

So I have installed the DGE bits and configured my AD Accounts as the data governance administrators. The Data Governance views in manager render the managed hosts as expected. 

 

The next step however (keep me honest here) is to add the service account, and start installing agents on hosts. The problem I am having is that when I attempt to set the service account in our domain, I am getting a bad password error.

I have quadruple checked the password and I know that it is good.

This is the error:

 

[1025012] Object (QDGE-Service-User) could not be saved!
[810306] Error during execution of 'OnSaving' in logic module 'QAMServiceAccount'.
	at VI.DB.Entities.EntitySingleDbObject.<>c__DisplayClass36_0.<<Save>b__0>d.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.EventUnitOfWork.<PutAsync>d__2.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.PermissionsUnitOfWork.<PutAsync>d__10.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.EventUnitOfWork.<PutAsync>d__2.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.UnitOfWorkImpl.<PutAsync>d__37.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.DbEntitySink.<PutAsync>d__15.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.InteractiveSaveEntityStrategy.<OnSavingAsync>d__3.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.CombinedEntityLogic.<_CollectChangesAsync>d__28.MoveNext()
Quest.Titan.Common.Exceptions.ExternalException: System.ComponentModel.Win32Exception: The user name or password is incorrect
	at VI.DB.Entities.CombinedEntityLogic.<_CollectChangesAsync>d__28.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Customizer.<VI-DB-Entities-IEntityLogic-OnSavingAsync>d__71.MoveNext()
	at VI.DB.Customizer._CollectEvents(IEntity entity, Action action)
	at Quest.Titan.Client.Q1IM.Customizer.QAMServiceAccount.OnSaving()

 

What am I missing here? I was following your video tutorials as I was configuring this so perhaps I missed a step.

Would be nice to demonstrate what is possible here with my colleagues but I cant get past this one thing.

  • A couple of notes:
     
    • I have tried logging into manager with employee role based, AD Role based, and system account based
      • I do not have a system account mapped to my person record however, could that be an issue?

    • Logged into the management server with my domain admin account

    • This domain admin account is linked to my person record.

    • My person record has all of the administrator roles, including the Data Governance Administrator role.
       
    • This is also being installed with an existing Identity Manager Instance (same version)

Any insights would be most welcome.

 

Thanks!

  • 0 over 6 years ago
    Hello,

    - Are you able to log into the machine hosting the DGE service using those same credentials? (if you can't, then that would definitely be a problem).
    - What account is the DGE service running as (LocalSystem or as a service account)?
    - Is there anything in the DGE service log? If you enable DEBUG logs, is there anything else? To turn on DEBUG logging on the server, try the following:
    1. Locate the Dell.DataGovernanceEdition.Service.exe.config file in the Data Governance service installation directory.
    2. Open the configuration file and edit the following setting:
    <rules>
    <logger name="*" minlevel="INFO" writeTo="logfile">
    3. Change INFO to DEBUG to get detailed logging.
    4. Save the file.

    - What about trying using DGE PowerShell command Add-QServiceAccount instead of through the Manager:
    support.oneidentity.com/.../32

    Having a system account mapped to your person record should not matter. As long as the account that you are logged into the computer as (in your case, domain admin), is associated with a Person object that has the DGE roles, you should be good.

    In the meantime, I'll consult with the team to see if they have any other suggestions.

    Matt
  • 0 over 6 years ago
    Hey Matt,

    Appreciate the input. I was actually following along with your video when configuring this one.

    I am looking now and will get back to you with some more intel.

    Thanks!
  • +1 over 6 years ago

    Hey Matt,

    So this issue turned out to be an issue with the encryption configuration on the DGE server. Since I am encrypting my database with the RSA key, they DGE service was not sending the correct password to the directory.

    While the OneIdentity service that runs on the same server had the encryption key properly assigned, the DGE service had no way to reconcile it. I was wondering how it was going to understand the encrypted data and assumed that it was pulling this from the DGE wizard. Well clearly I was wrong about that.

    So to get this working I (on the DGE server):

    • Copied the RSA key file to the system32 directory (I tried using the path to the file on the server to no avail. Maybe it needed a UNC path, but I just opted for copying to the System32 directory.).

     

    • THen, i ran the following:
        
      • Set-QEncryptionOptions -File OIM.key

     

    • After which I set the service account via the PowerShell CMDLet

      • Add-QServiceAccount -AccountDomain "LAB.COM" -AccountName "US-QDGE-LAB-APP" -Password 'PASSWORDHERE'
The account has been added as a service account.


ServiceAccountId          : 0644F3A3-C4BC-4B00-B38D-##########
AccountSid                : S-1-5-21-########################
UserDomainName            : LAB
UserName                  : US-QDGE-LAB-APP
UserPrincipalName         : US-QDGE-LAB-APP@lab.com
Description               : 
IsDefaultObjectResolution : False
StatusDetailMessage       : 
Status                    : OK
CanManageDomains          : True
ServiceAccountName        : LAB\US-QDGE-LAB-APP

    BOOM...

     

    After that it was smooth sailing.

     

    Thanks again for all of your help. Hopefully this helps someone else as well.