000030664 - IMG Identity Management and Governance (Aveksa) Native AD Account Data Collector (ADC) error "Collector test failed:"

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030664
Applies ToRSA Product Set: Identity Management and Governance
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 6.8.1, 6.9, 6.9.1
Platform: Linux
Platform (Other): null
O/S Version: Red Hat Enterprise Linux 6.x
Product Name: RSA-0018000
Product Description: Access Certification Manager
IssueThe AD (Active Directory) Account Data Collector (ADC) fails when attempting to collect account data from some AD domain controllers. This issue is present only in the native AD collector and does not occur when using the generic LDAP ADC collector. 
The failure is characterized by the following exception in the IMG server log that references a failure to connect to the referral server:
2015-06-22 17:01:03,662 INFO  [com.aveksa.collector.accountdata.LdapAccountDataReader] Naming Exception happened :
javax.naming.CommunicationException: Dohmen.com:389 [Root exception is java.net.ConnectException: Connection timed out]
                at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:92)

This leads to a failure of the collector with the following exception in the IMG server log:
2015-06-22 17:01:03,664 ERROR [com.aveksa.client.datacollector.framework.DataCollectorManager] FAILED method=Collect CollectionMetaInfo[{ID=98, run_id=1435010400534, collector_id=68, test-run=true, collector_name=Restat.net - ADC, data_file=/home/oracle/jboss-4.2.2.GA/server/default/./deploy/aveksa.ear/aveksa.war/WEB-INF/LocalAgent/collected_data/98.data}]

And the observed failure in the IMG console during the test phase of the collection connection:
Collector test failed:
com.aveksa.server.runtime.ServerException: Test request failed with response: com.aveksa.server.runtime.ServerException: java.lang.RuntimeException 
CauseThis issue may occur if the connector attempts to follow an LDAP referral but cannot connect to the referral server.
An LDAP referral is an (optional) feature of the LDAP protocol that allows for an LDAP server that is unable to locate the desired LDAP record, to redirect the client to a different LDAP source that is more likely to hold the result.  In Microsoft Active Directory (AD) LDAP the referral response may direct the client to a different domain controller in the forest. Not all AD domains will return referral information and this is why this issue may occur on some AD domains and not on others.  It is also possible for only certain LDAP queries to generate a referral which can make this issue appear intermittently.
The failure occurs if the IMG ADC cannot bind successfully to the Microsoft AD domain controller returned in the referral request.  
The failure to bind may be because the domain controller returned in the referral is not reachable from the IMG servers location, or because the bind information used for the secondary domain controller does not match the primary.  
ResolutionMost often the intent is to bind to a single domain controller, and only return results from that domain.  The attempt to follow referrals is unintended and undesired.  In order to successfully follow referrals in an AD domain the bind account used for the LDAP connection must be the same for all domains, which typically is not practicable.  
If the following of LDAP referrals is not desired then the IMG ADC should be configured to ignore referrals.   Under the configuration for the AD Account Data Collector select the "Ignore Referral" checkbox.  

AD ADC configuration
Note that the feature to ignore referrals is not available on older builds of IMG.   The following table indicates the minimum patch level of IMG server that supports this feature. 
IMG version 6.8.1Patch P10 or later
IMG version 6.9Patch P02 or later
IMG version 6.9.1Patch P02 or later
IMG version 7.0Release
WorkaroundThe Microsoft AD domain controller may be configured not to return referral information.  Contact Microsoft for more information on how to disable this feature. Note that disabling referrals is not recommended as it may affect other applications that use Microsoft AD LDAP.