• State Suggested Answer
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 2834 views
  • Users 0 members are here
Options
Related

Active Directory snyhronisation -Encryption error

M.IAM
over 5 years ago

Hello,

I've set up a synchronisation project with an active directory.

I've created a workflow (DailyXX) to publish objects from OIM to AD on a daily schedule.

When i try  to simulate it , i have the following error : 

Error executing synchronization project (Active Directory Domain (DC=XXX,DC=XXX))'s workflow (DailyXX).
Error executing projection step (user) of projection configuration (DailyXX (3608e22d-6ca7-43be-88a6-a41a496ec0b5)).
Error executing synchronization step (user)!
Error reloading 1024 system objects.
The encrypted value cannot be unencrypted. There is no unencryption configured.

I've entered the name of private key in 'One identity manager' when i configured the connection to OIM DB.

What could be the problem ?

Many thanks. 

Parents
  • 0 over 5 years ago

    First, what version are you using?

    Secondly, does the connection to the target system in the target system browser inside the Synchronization Editor work?

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Thank you Markus for your quick reply,

    I'm using version 8.1.

    Yes the connection to the target system (AD in my case) work well when in test it ..

    I simulate 'Initial synchronisation' and it works perfectly.

    But when i try 'DailyXXX' workflow, it fails while executing step 3 'user' (it passes step2 <group> successfully) with this error..?

    Error executing synchronization project (Active Directory Domain (DC=XXX,DC=XXX))'s workflow (DailyXX).
    Error executing projection step (user) of projection configuration (DailyXX (3608e22d-6ca7-43be-88a6-a41a496ec0b5)).
    Error executing synchronization step (user)!
    Error reloading 1024 system objects.
    The encrypted value cannot be unencrypted. There is no unencryption configured.

    (may be the error is related to decrypting user's password which are encrypted in ADSAccount ?)

  • 0 over 5 years ago in reply to M.IAM

    The thing is, that for simulating a write to the target system the Synchronization Editor complains about encrypted values, that he is unable to encrypt. By design, only the Job Services are able to decrypt the data, but the simulation runs in the Synchronization Editor.

    Can you execute the following and confirm the result:

    You can execute this in Object Browser in a new SQL window.

    select ColumnName from DialogColumn where IsCrypted = 1 and UID_DialogTable = 'ADS-T-ADSAccount'

  • 0 over 5 years ago in reply to M.IAM

    Hi,

    Run the below SQL query to check if "UserPasswords" is the only column in the ADSAccount table that has been encrypted:

    select ColumnName from DialogColumn where IsCrypted = 1 and UID_DialogTable = 'ADS-T-ADSAccount'

    Then clean up the existing "UserPasswords" values in the ADSAccount table by running the below SQL update:

    update ADSAccount set UserPassword = null where ISNULL(UserPassword, '') <> ''

    Please be sure you have a database backup.

    Trevor

  • 0 over 5 years ago in reply to Trevor Pike

    Thank you all,

    select ColumnName from DialogColumn where IsCrypted = 1 and UID_DialogTable = 'ADS-T-ADSAccount'

    gives me : userPassword

    sure you want me to execute : update ADSAccount set UserPassword = null where ISNULL(UserPassword, '') <> '' ?

    Isn't it going to synchronise empty passwords to AD  ?

     

    So Markus, if i parameter the DailyXXX workflow to run this night for example, i won't have this error as the run will be handled with à job service ?

  • 0 over 5 years ago in reply to M.IAM
    M.IAM said:
    So Markus, if i parameter the DailyXXX workflow to run this night for example, i won't have this error as the run will be handled with à job service ?

    Correct. But may I ask why you are not using the OOTB Ad-Hoc (Immediate) transfer of changes from OneIM to AD?

Reply Children
No Data