• State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 5687 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Installed PCA on AD as per PCA guide. We have provided all required permission but still receiving error in log for password change.

saba.naaz
over 5 years ago

Hi All,

We have installed PCA on AD as per PCA guide. We have provided all required permission but still receiving error in log for password change.

From WebService-Script:
Certificate to decrypt was found, but the current user does not have enough permissions to read the private key.
..

Please suggest a quick resolution.

one IM 8.0, AD server 2012.

  • 0 over 5 years ago

    There is a guide available in the knowledge base on the support portal.

    https://support.oneidentity.com/identity-manager/kb/189367/pca-private-key-decryption-warning-when-changing-user-password

    In Step 6, SOAP web service can be replaced with Application Server because I assume that you are connecting to the REST API instead of SOAP.

  • 0 over 5 years ago
    We are connecting to Soap services. do you want me to connect with REST API.
  • 0 over 5 years ago
    So this is an updated environment and you are not using the PCA delivered with version 8 as this one only supports the connection to the AppServer / REST API. In regards to the SOAP service it's your choice but remember that the SOAP Service is deprecated and might be subject to removal in a future version.
  • 0 over 5 years ago
    Its New environment but we have enabled SOAP services, we can enable REST also. we are using PCA delivered with version 8 only.
  • 0 over 5 years ago
    If this is completely new installation I suggest connecting the PCA to an Application Server (REST API) to be future proof.
  • 0 over 5 years ago
    Hi Markus,

    Thanks for information. we can use it but what will be the REST URL for PCA? will it be like https://<Hostname>/AppServer or we need to add specific URI like SOAP services.
  • 0 over 5 years ago
    Should be the normal AppServer URI.
  • 0 over 5 years ago
    Hi Markus,

    We have updated AppServer URL in AD registry and now we are getting below error continuously.


    System-Code: -1 (0xFFFFFFFF)
    Job failed:
    Job Id='2018.04.27 09:50:13.750' User='XXXX' failed:
    Within Service: Exception caught within call 'PasswordChangeNotify()':
    System.ServiceModel.ProtocolException: The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 1024 bytes of the response were: '<!DOCTYPE html>

    <html>

    <head>

    <title>Runtime Error</title>

    <meta name="viewport" content="width=device-width" />

    <style>

    body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}

    p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}

    b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}

    H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }

    H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }

    pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}

    .marker {font-weight: bold; color: black;text-decoration: none;}

    .version {color: gray;}

    .error {margin-bottom: 10px;}

    .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }

    @media screen and (max-width: 639px) {

    pre { width: 440px; o'. ---> System.Net.WebException: The remote server returned an error: (500) Internal Server Error.

    at System.Net.HttpWebRequest.GetResponse()

    at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

    --- End of inner exception stack trace ---
  • 0 over 5 years ago

    Just changing the URL will do no good.

    According to the documentation https://support.oneidentity.com/technical-documents/identity-manager/8.0/password-capture-agent-administration-guide/4#TOPIC-862983 there is at least a secured parameter WebServiceType that has to be switched to REST.

  • 0 over 5 years ago
    Hi Markus,

    We have updated secured parameter like : WebServiceType that has to be switched to REST.

    Also We have given all required permission and checked guide also support.oneidentity.com/.../pca-private-key-decryption-warning-when-changing-user-password

    Still facing issue. Please suggest

    App server logs:

    2018-04-30 11:10:44.9003 DEBUG (StopWatch SW) : Getting features/default from cache. done in 0ms.
    2018-04-30 11:10:44.9003 DEBUG (AppServer 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Executing request: /api/script/VI_CaptureAgent_SetPassword
    2018-04-30 11:10:44.9003 DEBUG (PasswordCaptureAgentScript ) : Connected as viCaptureAgent [ DialogUser / System user ] mapped to: viCaptureAgent | DialogUserUID: ADS-e6eb019a2b6c4dccbbbfbfb397d190b6 | For: IAMTEST\PIOE
    2018-04-30 11:10:44.9003 DEBUG (StopWatch SW) : Getting Permissions/ADSDomain from cache. done in 0ms.
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : ADSDomain: Getting collection, load type: Default
    2018-04-30 11:10:44.9003 TRACE (SqlLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : ClaimConnectionAsync - read write, _transaction == null
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : -- Connection 1 switched from Available to Working after comparison
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : --> existing connection 1
    2018-04-30 11:10:44.9003 DEBUG (SqlLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : (< 1 ms) - select * from (select UID_ADSDomain, Ident_Domain, xmarkedfordeletion from ADSDomain where ((dc = N'IAMTEST') or (ADSDomainName = N'IAMTEST'))) as x ORDER BY Ident_Domain OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : -- Connection 1 switched from Working to Available
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Collection: Run statement and fetch data done in 1ms.
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Getting collection done in 1ms.
    2018-04-30 11:10:44.9313 ERROR (PasswordCaptureAgentScript ) : Exception while trying to decrypt and verify the password. Exception Message: [238] strError238.



    AD server oneIM logs:

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Processing head job ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Calling Method 'PasswordChangeNotify()' of the COM-Object ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): ... done.

    4/30/2018 11:11:12:
    Warning:
    System-Code: 238 (0xEE)
    Job failed:
    Job Id='2018.04.30 11:11:12.160' User='PIOE' failed:
    From WebService-Script:
    Certificate to decrypt was found, but the current user does not have enough permissions to read the private key.

    The new password was not submitted!

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Remove head of job queue ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Jobs in Queue: 0

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Job '2018.04.30 11:11:12.160' removed from Queue.

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Get/Wait head from job queue ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Jobs in Queue: 0