• State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 5685 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Installed PCA on AD as per PCA guide. We have provided all required permission but still receiving error in log for password change.

saba.naaz
over 5 years ago

Hi All,

We have installed PCA on AD as per PCA guide. We have provided all required permission but still receiving error in log for password change.

From WebService-Script:
Certificate to decrypt was found, but the current user does not have enough permissions to read the private key.
..

Please suggest a quick resolution.

one IM 8.0, AD server 2012.

Parents
  • 0 over 5 years ago
    Hi Markus,

    We have updated secured parameter like : WebServiceType that has to be switched to REST.

    Also We have given all required permission and checked guide also support.oneidentity.com/.../pca-private-key-decryption-warning-when-changing-user-password

    Still facing issue. Please suggest

    App server logs:

    2018-04-30 11:10:44.9003 DEBUG (StopWatch SW) : Getting features/default from cache. done in 0ms.
    2018-04-30 11:10:44.9003 DEBUG (AppServer 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Executing request: /api/script/VI_CaptureAgent_SetPassword
    2018-04-30 11:10:44.9003 DEBUG (PasswordCaptureAgentScript ) : Connected as viCaptureAgent [ DialogUser / System user ] mapped to: viCaptureAgent | DialogUserUID: ADS-e6eb019a2b6c4dccbbbfbfb397d190b6 | For: IAMTEST\PIOE
    2018-04-30 11:10:44.9003 DEBUG (StopWatch SW) : Getting Permissions/ADSDomain from cache. done in 0ms.
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : ADSDomain: Getting collection, load type: Default
    2018-04-30 11:10:44.9003 TRACE (SqlLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : ClaimConnectionAsync - read write, _transaction == null
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : -- Connection 1 switched from Available to Working after comparison
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : --> existing connection 1
    2018-04-30 11:10:44.9003 DEBUG (SqlLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : (< 1 ms) - select * from (select UID_ADSDomain, Ident_Domain, xmarkedfordeletion from ADSDomain where ((dc = N'IAMTEST') or (ADSDomainName = N'IAMTEST'))) as x ORDER BY Ident_Domain OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : -- Connection 1 switched from Working to Available
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Collection: Run statement and fetch data done in 1ms.
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Getting collection done in 1ms.
    2018-04-30 11:10:44.9313 ERROR (PasswordCaptureAgentScript ) : Exception while trying to decrypt and verify the password. Exception Message: [238] strError238.



    AD server oneIM logs:

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Processing head job ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Calling Method 'PasswordChangeNotify()' of the COM-Object ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): ... done.

    4/30/2018 11:11:12:
    Warning:
    System-Code: 238 (0xEE)
    Job failed:
    Job Id='2018.04.30 11:11:12.160' User='PIOE' failed:
    From WebService-Script:
    Certificate to decrypt was found, but the current user does not have enough permissions to read the private key.

    The new password was not submitted!

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Remove head of job queue ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Jobs in Queue: 0

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Job '2018.04.30 11:11:12.160' removed from Queue.

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Get/Wait head from job queue ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Jobs in Queue: 0
Reply
  • 0 over 5 years ago
    Hi Markus,

    We have updated secured parameter like : WebServiceType that has to be switched to REST.

    Also We have given all required permission and checked guide also support.oneidentity.com/.../pca-private-key-decryption-warning-when-changing-user-password

    Still facing issue. Please suggest

    App server logs:

    2018-04-30 11:10:44.9003 DEBUG (StopWatch SW) : Getting features/default from cache. done in 0ms.
    2018-04-30 11:10:44.9003 DEBUG (AppServer 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Executing request: /api/script/VI_CaptureAgent_SetPassword
    2018-04-30 11:10:44.9003 DEBUG (PasswordCaptureAgentScript ) : Connected as viCaptureAgent [ DialogUser / System user ] mapped to: viCaptureAgent | DialogUserUID: ADS-e6eb019a2b6c4dccbbbfbfb397d190b6 | For: IAMTEST\PIOE
    2018-04-30 11:10:44.9003 DEBUG (StopWatch SW) : Getting Permissions/ADSDomain from cache. done in 0ms.
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : ADSDomain: Getting collection, load type: Default
    2018-04-30 11:10:44.9003 TRACE (SqlLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : ClaimConnectionAsync - read write, _transaction == null
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : -- Connection 1 switched from Available to Working after comparison
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : --> existing connection 1
    2018-04-30 11:10:44.9003 DEBUG (SqlLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : (< 1 ms) - select * from (select UID_ADSDomain, Ident_Domain, xmarkedfordeletion from ADSDomain where ((dc = N'IAMTEST') or (ADSDomainName = N'IAMTEST'))) as x ORDER BY Ident_Domain OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY
    2018-04-30 11:10:44.9003 TRACE (SqlLog ) : -- Connection 1 switched from Working to Available
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Collection: Run statement and fetch data done in 1ms.
    2018-04-30 11:10:44.9003 DEBUG (ObjectLog 7ecf9455-060b-43a4-a4fa-2085c1deba73) : Getting collection done in 1ms.
    2018-04-30 11:10:44.9313 ERROR (PasswordCaptureAgentScript ) : Exception while trying to decrypt and verify the password. Exception Message: [238] strError238.



    AD server oneIM logs:

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Processing head job ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Calling Method 'PasswordChangeNotify()' of the COM-Object ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): ... done.

    4/30/2018 11:11:12:
    Warning:
    System-Code: 238 (0xEE)
    Job failed:
    Job Id='2018.04.30 11:11:12.160' User='PIOE' failed:
    From WebService-Script:
    Certificate to decrypt was found, but the current user does not have enough permissions to read the private key.

    The new password was not submitted!

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Remove head of job queue ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Jobs in Queue: 0

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Job '2018.04.30 11:11:12.160' removed from Queue.

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Get/Wait head from job queue ...

    4/30/2018 11:11:12:
    CWorker-Thread (1260): Jobs in Queue: 0
Children
No Data