000037251 - Active Directory Account Data Collection fails to retrieve Active Directory attributes when connecting to Active Directory Global Catalog port 3268 in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Mar 25, 2019Last modified by RSA Customer Support Employee on Mar 25, 2019
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000037251
Applies ToRSA Product Set: Identity Governance & Lifecycle
 
Issue

Active Directory Account Data Collection fails to populate Active Directory attributes such as accountExpires, etc. during account collection. The issue happens when connecting to Active Directory Global Catalog on port 3268 instead of on port 636 (SSL) or plain (389).



'Expiration Date' and other attributes for all accounts is null, which should not be the case.



The following error is also observed in the aveksaServer.log:




10/17/2018 16:37:29.808 ERROR (ApplyChangesRegularThread-31460) [com.aveksa.collector.accountdata.ADAccountDataReader] Problem listing attributes: 
java.lang.NullPointerException
 at com.aveksa.collector.accountdata.ADAccountDataReader.getADDomainAttributes(ADAccountDataReader.java:894)
 at com.aveksa.collector.accountdata.ADAccountDataReader$ADAccountDataDirectoryIterator.<init>(ADAccountDataReader.java:922)
 at com.aveksa.collector.accountdata.ADAccountDataReader.createAccountDataDirectoryIterator(ADAccountDataReader.java:641)
 at com.aveksa.collector.accountdata.ADAccountDataReader.createAccountDataDirectoryIterator(ADAccountDataReader.java:62)
 at com.aveksa.collector.accountdata.LdapAccountDataReader.getAccountIterator(LdapAccountDataReader.java:172)
 at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectData(AccountDataCollector.java:393)
 at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:302)
 at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:269)
 at com.aveksa.client.datacollector.framework.DataCollectorManager.collect(DataCollectorManager.java:536)
 at com.aveksa.client.component.collector.DefaultCollectorManager.actUpon(DefaultCollectorManager.java:204)
 at com.aveksa.client.component.collector.DefaultCollectorManager.handle(DefaultCollectorManager.java:102)
 at com.aveksa.client.component.event.DefaultEventManager.handle(DefaultEventManager.java:60)
 at com.aveksa.client.datacollector.framework.SimpleEventSource.notifyListeners(SimpleEventSource.java:67)
 at com.aveksa.client.component.communication.DefaultCommunicationManager.notifyEvent(DefaultCommunicationManager.java:377)
 at com.aveksa.client.component.communication.ChangeListHandler.applyChanges(ChangeListHandler.java:364)
 at com.aveksa.client.component.communication.ChangeListHandler.access$300(ChangeListHandler.java:58)
 at com.aveksa.client.component.communication.ChangeListHandler$ChangeApplyingRunnable.run(ChangeListHandler.java:275)
 at java.lang.Thread.run(Thread.java:748)
CauseIn Active Directory, the global catalog provides fast and extensive search across the Active Directory forest. By default the global catalog holds partial set of attributes (partial replica of objects of its domain) which are frequently used in search operation. All attributes are not available for search in the domain when we connect Active Directory through port 3268 because it searches through attributes enabled in the global catalog only. On an as needed basis, we can replicate the attribute from the domain to global catalog for search operations.
Resolution

Prerequisites



  1. Login as an Administrator into the Active Directory server and make sure that the Active Directory Schema is listed in the Microsoft Management Console (MMC). 
  2. If the Active Directory Schema is not available in the console then configure using the steps in the section below entitled Add Active Directory Schema to MMC.  Otherwise skip to the section on Add Attribute to Global Catalog.


Add Active Directory Schema to MMC



We need to make a change to the registry on the AD Server, so that we can modify the  AD Schema.



  1. From a command prompt open the registry using regedt32.exe or regedit.exe.
  2. Locate the HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\NTDS\Parameters key.
  3. Create a new REG_DWORD value called Schema Update Allowed and set the value to 1.
  4. Register the schema management MMC snap-in, register the schmmgmt.dll.
  5. Open a command prompt as an administrator and execute the command regsvr32.exe schmmgmt.dll.

User-added image


  1. Open the windows Run box and type mmc to open the Microsoft Management Console.
  2. From the menu select File > Add/Remove Snap-In.
  3. Select Active Directory Schema then click Add.
  4. Click OK. The Active Directory schema should be listed in the console now.

User-added image


Note: If the AD schema is not available, restart the Windows server and try again.




 


Add Attribute to Global Catalog



In the Active Directory schema, enable the required attribute to update in the global catalog of AD.



  1. Open the MMC console and select “Active Directory Schema” in the directory
  2. Select the Attributes folder, it will display the list of attributes in the pane on the right.
  3. Select the required attribute, right click and open the Properties window. For exmaple, use accountExpires
  4. In the Properties dialog, enable the Replicate this attribute to the Global Catalog option and click OK to save the changes.
  5. The selected attribute will be added to the global catalog

User-added image

Attachments

    Outcomes