Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/09/2022 04:10 AM
We are using AD connector and while doing provisioning, its creating account in disabled status marking userAccountControl to 546. If we are trying to pass userAccountControl:512 explicitly in CreateAccountJson, its throwing Error as "Will not perform".
We have covered below validations on our side.
1. AD service account has full privileges'.
2. Password policy follows the AD policy.
3. We have cert installed.
4. We have validated the password generated through email and it is a valid one.
Any one have faced such issue and can help?
06/09/2022 07:04 AM - edited 06/09/2022 09:04 AM
Nmaheshwari,
You cannot pass the UAC value in the createAccount JSON. That is something that AD evaluates at the time of account creation.
UAC 546 means the account is in a disabled state and the password is not required. Since this is mostly password related, here are a few pointers.
1) Do you have the URL in the connector pointing to ldaps protocol on the SSL port ?
2) Did you restart the Saviynt Application server post certificate installation ?
3) Have you tried disabling the automated password and passing a hardcoded value using the parameter "UnicodePwd" ?
Regards,
Avinash Chhetri
06/09/2022 11:23 PM
Hi Avnish,
We have validated all the above points what you have mentioned and tried hard coding the value for password directly in Json but it did not help. In AD password was saved as plain text and status was 546.
Thanks,
Nupur
06/09/2022 11:12 PM
Hello,
If your connection is secure (636) and you have a password policy attached to your security system or at the connection level then your UAC should automatically be set as 512.
06/09/2022 11:24 PM - edited 06/09/2022 11:27 PM
Hi Sahaj,
Yeah we have set everything but still its creating account with 546 UAC value.
I have a password policy attached to the security system and at connector level we have set RandomPassword set to FALSE.
We tried setting the RandomPassword to TRUE but in this case it throws error at Pending task saying "Will not perform".
Thanks,
Nupur
06/09/2022 11:42 PM
Hello,
Could you also check if your 'BASE' parameter is set on the connection and is valid to the provisioning scope you intend to have?
06/09/2022 11:56 PM
Hi Sahaj,
Base parameter is set properly.
Thanks,
Nupur
06/10/2022 01:41 AM
Hello,
This error is mostly due to incorrect password policy or an SSL connection not there or isn't secure enough.
Lets try the following and see if it helps :
1. Use Password Policy either at connection level or at Security System level and ensure its compliant to AD policy. Use email template to get the password being sent to confirm the same.
2. Ensure that the SSL connection between AD and Saviynt is 128 bit . More info :
https://docs.microsoft.com/en-US/troubleshoot/windows/win32/change-windows-active-directory-user-pas...
08/02/2022 04:17 AM
Hi @Nmaheshwari ,
Was this issue resolved? Could you please share the solution for the betterment of the community here.