Answered

Test setting initial password and enabling account

9 years ago in UNIFYBroker/Microsoft Active Directory • updated by 9 years ago • 3

Test to confirm that Identity Broker for Microsoft Active Directory is capable of provisioning users in an enabled state. A few things we know:

SSL must be enabled in AD and on the connection;
The password must meet the complexity requirements;
User userAccountControl to enable the account;
If using unicodePwd there are some prerequisites for the format of the password (enclosed in quotes and base64 encoded);

Other:

Is anything logged in AD/Windows event log that can help diagnose?
Can the traffic be traced?
Is there another password field that gets the outcome without having to use unicodePwd?
Do we have to change the connector to make this easier?

Vote

Replies 3
Oldest first
- Newest first
- Oldest first

9 years ago

Notes for future reference:

password reset requires LDAPS (enable SSL, use port 636)
in order to avoid certificate errors, you should use the fully qualified domain name (e.g. computername.domain.local) in the configuration of the AD agent so that it matches the subject of the AD DS certificate
new user's password will be expired by default, set pwdLastSet to -1 to avoid this
set userAccountControl initially to 512 (0x200) which is NORMAL_ACCOUNT only, certainly make sure ACCOUNTDISABLE (0x2) is not on

9 years ago

IDBAD v4.1 and v5 connectors now support set password (sync and async respectively), and both support adding unicodePwd to the schema which can be exported to set password on adds

9 years ago

Created account with password set. Was able to successfully login using account.

Customer support service by UserEcho

Test setting initial password and enabling account

Votes left: 9/9

Topic stats