Unable to synchronize passwords with Active Directory - Err=5
(Last modified: 20Dec2005)
This document (10092646) is provided subject to the disclaimer at the end of this document.
fact
Nsure Identity Manager 2.0
Novell Active Directory Driver
Microsoft Windows Server 2003 Enterprise Edition
symptom
Unable to synchronize passwords with Active Directory - Err=5
Error: Message: Could not set password via platform call. Err=5
<message>Password set failed.</message> <ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
This error is likely to happen in a configuration where the Driver is running on a machine that is not a domain controller.
SSL is not configured. The authentication method in place is set to Negotiate, in which the use of SSL is optional.
cause
Setting the authentication to "Negotiate" makes the initial connection of the Driver Shim to the Domain Controller in a secure fashion. The rest of the information that the Driver and the Domain controller exchange is sent via LDAP on the unencrypted port though. When a password change event comes from eDirectory, the driver attempts to set the password over LDAP on a non-encrypted channel but the Domain controller refuses to do so for security reasons.
fix
In order for the password change to succeed, the communication with the Domain Controller needs to be secured. You have two options for this:
1 - Configure SSL. Follow the section called "SSL Connection Between the Active Directory Driver and the Domain Controller" in page 19 of the DirXML Driver 3.0 for Active Directory Implementation Guide.
2 - Enable the "Use Sealing" option in the driver. This is a Microsoft feature already present in Exchange that allows you to encrypt the information sent on the wire when the initial authentication has been done with NTLM or Kerberos. You need to have the latest patches both in the Domain Controller as in the platform that is running the driver. You can get more information on this topic on Chapter 5, Security parameters in the Implementation Guide.
The advantage of the second option is that it just means changing this setting to Yes on the driver object, restarting the driver and you are ready to work. Setting up SSL on the other hand can be a more complex process.
note
If you are using the idm201adir4.exe or idm20xadir5.exe patches, then the Sealing option will not work on your environment. The issue has been addressed in the idm20xadir6.exe patch.
If you want to find out more about LDAP sealing, you can look at the following documents in the Microsoft Knowledge Base:
LDAP Traffic That Is Created by Exchange System Manager in Exchange Server 2003 Is Signed and Sealed
document
Document Title: | Unable to synchronize passwords with Active Directory - Err=5 |
Document ID: | 10092646 |
Solution ID: | NOVL96672 |
Creation Date: | 29Apr2004 |
Modified Date: | 20Dec2005 |
Novell Product Class: | DirXML |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.