• State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 12060 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Initial domain sync fails for DC in untrusted domain

pacman_d
over 6 years ago

Hola,

 

Ok so I have AD sync working fine from our integrated domain, but when adding a domain where there is no trust, I am having issues getting the sync to work.

Couple of notes:

  • I am able to configure the connection in the Sync editor and browse the schema
  • When configuring the Job service for the domain controller in the DMZLAB domain, I am using SQL credentials that have the appropriate perms to the OIM SQL server instance in the LAB domain.
    • Assuming that a i have to use a SQL server cred with this being a domain with out a trust to the domain that the OIM DB is installed.
  • I can see the server in the JobQueue editor and get the configuration version and and refresh the time, etc...
  • SQL server is listening on TCPIP and NamedPipes, etc.
  • Not that it should matter, but all of the appropriate SPNs are defined in the directory in the source domain for the SQL instance.

  • The DMZLAB job server is configured with Machine Roles: (Active Directory and Job Server)
  • The DMZLAB Job server is configured with Server Functions: (Active Directory Connector)

So generally, it appears that all is good with this DMZLAB job server, but when I trigger the initial sync, the Full Projection process kicks off, and after several seconds I get the following error in the DMZLAB server log:

2017-10-06 10:05:31 -04:00 - \DMZLABDCL01 - VI.Projector.JobComponent.ProjectorComponent - 533e6817-ffaf-4699-8a16-181671acbd7e: Errors occured
    [2134003] Error executing synchronization.
    [810143] Database error 18452: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
    [System.Data.SqlClient.SqlException] Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
       at StdioProcessor.StdioProcessor._Execute(Job job)
       at VI.Projector.JobComponent.ProjectorComponent.Activate(String task)
       at VI.Projector.JobComponent.ProjectorComponent._FullProjection()
       ---- Start of Inner Exception ----
       at VI.Projector.JobComponent.ProjectorComponent._FullProjection()
       at VI.Projector.JobComponent.ProjectorComponent.get_Session()
       at VI.JobService.JobComponents.DbJobComponent.get_ConnectData()
       at VI.JobService.JobComponents.DbJobComponent._ConnectToDatabase()
       at VI.Base.SyncActions.Do[T](Func`1 function)
       at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
       ---- Start of Inner Exception ----
       at VI.DB.DbApp.<ConnectAsync>d__5.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.Base.TaskExtensions.<Convert>d__1`2.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.DbSessionFactoryImpl.<CreateAsync>d__3.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<CreateAsync>d__9.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<GetAsync>d__27.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<_CreateNewBucketAsync>d__30.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool._Bucket.<CreateAsync>d__11.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool._Bucket.<TryInitializeAsync>d__15.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.DbFactoryBase.<_CreateAndOpenConnectionAsync>d__13.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalMsSqlConnection.<OpenAsync>d__17.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionBase.<OpenAsync>d__16.MoveNext()
       ---- Start of Inner Exception ----
       at VI.DB.DataAccess.PhysicalConnectionBase.<OpenAsync>d__16.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at System.Threading.Tasks.Task.Execute()
       at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
       at System.Data.ProviderBase.DbConnectionFactory.<>c__DisplayClass0.<TryGetConnection>b__2(Task`1 _)
       at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
       at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
       at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken)
       at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
       at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout)
       at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover)
       at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
       at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
2017-10-06 10:07:00 -04:00 - Info: Requesting process steps for queue \DMZLABDCL01.
2017-10-06 10:07:00 -04:00 - Info: Last process step request succeeded.

I have also gone directly to the local server instance and reconfigured the Job service editor with the SQL connection with the local account just in case the push from designer was setting it with an integrated connection even after specifying that I want to use a SQL account.

As always, I am assuming that I am missing something here and that you guys can straighten me out. This is an important use case for us and I plan to work this through the weekend so if I can get any insights from you guys that would be terrific.

Much appreciated!

  • 0 over 6 years ago
    Sorry. Never seen before. But a SAMAccountName with spaces in the directory looks weired to me. Did you check the properties in the directory with ADSIEdit or LDP?
  • 0 over 6 years ago

    Hey Markus,

    Unfortunately it is possible to have spaces in a SAMAccountName and they have been around in this place for a long time. That does not seem to be the main factor however as there are other affected groups that do not have a space in the SAMAccountName.

    Oddly enough, the same group exists in the LAB domain, yet it does not show up in the database the same way. And other than the root of "DC=DMZLAB, DC=COM" vs the non DMZ counterpart, the DNs are identical.

    It is also not all of the groups, only around 73 of them are affected.

    All of the other groups seem to be ok (also with spaces in the names).

    I dont have anything happening for groups in the templates either or I would suspect something funky was happening there.

    I will keep looking, but if you guys have any ideas I am all ears.

    For now I will attempt to manually correct the attribute in the object browser and see if they revert on the next sync.

     

    Thanks again.

  • 0 over 6 years ago
    Oh, and to answer your question I checked the attribute in ADSIEdit as well. :)
  • 0 over 6 years ago
    Ok,

    So I went and made the changes to the group objects in the Object browser which updated the directory object sAMAccountName .

    From a directory perspective the sAMAccountName remained the same although the object was updated (Supported by interrogating the USN).

    After writing the correct value from OIM into the directory via the object layer (Object browser), subsequent sync jobs executed as expected.

    This is true even after deleting the DB records outside of the object layer and importing again.

    What I can derive from this is that I perhaps goofed something up on the initial object creation from my production DMZ domain to the DMZLAB domain. What exactly I am not 100% certain, but it seems like perhaps the encoding was off or something with the text for that attribute.

    Anyhoo, Thanks again :)
  • 0 over 6 years ago
    Glad it is working now. So I googled and found that spaces are indeed allowed. Nothing new to learn every day.

    But still, spaces in account names are ugly :-)