How To

ForgeRock Identity Platform

Does not apply to Identity Cloud

How do I troubleshoot Active Directory password synchronization issues in IDM (All versions)?

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you are experiencing issues with the Active Directory® password synchronization service (AD Password Sync Plugin) in IDM. Likely issues include Active Directory password changes not being populated in IDM or the plugin not polling for changes.

3 readers recommend this article

Troubleshooting synchronization issues

This article includes the following details that you should check (and rectify) in order to troubleshoot the AD password sync plugin in IDM:

Keystores and certificates
Password Synchronization log
IDM log
AD password sync plugin configuration
IDM configuration files

Avoiding loops

If AD syncs passwords with IDM in both directions, you need to ensure you have configured IDM correctly to avoid an infinite loop. See Changing the Password Synchronization Plugin Configuration After Installation (Key to configure infinite loop prevention) for further information.

Note

If you are still unable to solve your issues, you should attach the collected log files and outputs when you raise a ticket to enable us to help you more quickly. See Sending troubleshooting data to ForgeRock Support for analysis for further information.

Keystores and certificates

Incorrect keystore and certificate details can cause issues with the AD password sync plugin (some of which have been shown in the IDM log section below). The key things to check are:

The content of the keystore used by the AD password sync plugin corresponds to the content in the IDM keystore.
The certificate DN has been added to the IDM configuration.

Finally, you should review the steps in Synchronize Passwords With Active Directory again to ensure you have not missed a step.

Keystores

You can check that the content of the AD and IDM keystores correspond as follows:

Use the keytool command to list the certificate aliases in the AD keystore (keystore.pk12) to check which certificate is being used; the default is ad-pwd-plugin-localhost, but could be different depending on your setup.
Use the keytool command to list the certificate aliases in the IDM keystore to check that the certificate alias returned in step 1 is present. The following example keytool command shows that the ad-pwd-plugin-localhost certificate exists in the IDM keystore: $ keytool -list -keystore security/keystore.jceks -storetype JCEKS -storepass password -v Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 4 entries Alias name: ad-pwd-plugin-localhost Creation date: May 19, 2021 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=localhost, O=AD-pwd-plugin Self-Signed Certificate Issuer: CN=localhost, O=AD-pwd-plugin Self-Signed Certificate Serial number: 20be2082 Valid from: Wed May 19 10:11:34 BST 2021 until: Thu May 19 10:11:34 BST 2022 Certificate fingerprints: SHA1: CC:09:33:57:F3:AE:BC:0F:D3:49:30:E2:5F:EA:AA:9F:43:67:65:B7 SHA256: B3:16:98:AD:97:D9:A0:5E:44:AE:FD:A8:35:4A:4E:84:59:EC:52:53:99:8C:4D:ED:DC:EB:1A:2B:22:0C:51:4A Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 ******************************************* *******************************************

Certificate DN

Check that the certificate DN has been added as a value of the allowedAuthenticationIdPatterns property for the CLIENT_CERT authentication module in the authentication.json file (located in the /path/to/idm/conf directory). For example:

{ "name" : "CLIENT_CERT", "properties" : { "queryOnResource" : "managed/user", "defaultUserRoles" : [ "internal/role/openidm-cert" ], "allowedAuthenticationIdPatterns" : [ "CN=localhost, O=AD-pwd-plugin Self-Signed Certificate" ] }, "enabled" : true }

You will know that authentication has been successful when you see something similar to the following in the openidm.log:

FINE: Authentication client certificate subject CN=localhost, O=AD-pwd-plugin Self-Signed Certificate Jan 31, 2017 04:27:49 PM org.forgerock.caf.authentication.framework.AuthModules$LoggingAuthModule$4 handleResult FINE: ClientCert has successfully authenticated the client

Password Synchronization log

Password synchronization messages are logged to idm.log and these messages can help identify the cause of your issues. This file is located in the directory you specified when you installed the AD password sync plugin; you can confirm the location by checking the logPath registry entry under the HKEY_LOCAL_MACHINE\SOFTWARE\ForgeRock\OpenIDM\PasswordSync registry key.

Changing the log level to debug

It is recommended that the log level is set to debug during the install to increase the level of logging. If you didn't set it this way during the install, you can change it by setting the logLevel registry entry under the HKEY_LOCAL_MACHINE\SOFTWARE\ForgeRock\OpenIDM\PasswordSync registry key to debug, for example, "logLevel"="debug". You do not need to restart the domain controller if you change this registry entry as it will be picked up dynamically by the AD password sync plugin.

Common errors

Some common errors messages you might find in the idm.log are as follows, along with possible solutions:

Error message	Possible solution
ERROR [468:1732] encrypt_key(): couldn't import key file "\path\to\ad-pwd-plugin-idm.p12"	Check that pkcs12 file password exists and is valid.
ERROR [468:5372] password_change_worker(): change request for user "user_ID" failed, network status: 0, response: (empty)	Check that the network connection between the AD password sync plugin and IDM is working correctly.
ERROR [468:6692] http_status() error parsing status header	Change the netTimeout registry entry to set the network connection/send/read timeout (in seconds) to prevent requests to IDM failing if IDM takes too long to respond. The netTimeout registry entry is under the HKEY_LOCAL_MACHINE\SOFTWARE\ForgeRock\OpenIDM\PasswordSync registry key; a typical netTimeout setting is between 2 and 6 seconds (for example, "netTimeout"="5" for 5 seconds). You do not need to restart the domain controller if you change the netTimeout registry entry as it will be picked up dynamically by the AD password sync plugin.

Error message

Possible solution

ERROR [468:1732] encrypt_key(): couldn't import key file "\path\to\ad-pwd-plugin-idm.p12"

Check that pkcs12 file password exists and is valid.

ERROR [468:5372] password_change_worker(): change request for user "user_ID" failed, network status: 0, response: (empty)

Check that the network connection between the AD password sync plugin and IDM is working correctly.

ERROR [468:6692] http_status() error parsing status header

Change the netTimeout registry entry to set the network connection/send/read timeout (in seconds) to prevent requests to IDM failing if IDM takes too long to respond.

The netTimeout registry entry is under the HKEY_LOCAL_MACHINE\SOFTWARE\ForgeRock\OpenIDM\PasswordSync registry key; a typical netTimeout setting is between 2 and 6 seconds (for example, "netTimeout"="5" for 5 seconds). You do not need to restart the domain controller if you change the netTimeout registry entry as it will be picked up dynamically by the AD password sync plugin.

IDM log

The IDM log (openidm.log, located in the /path/to/idm/logs directory) can be useful for identifying any issues with the password synchronization process from the IDM side. You should increase logging in the IDM debug log to FINEST (set the .level property to FINEST in logging.properties, which is located in the /path/to/idm/conf directory).

Some common errors messages you might find in the openidm.log are as follows, along with their meanings:

Error message	Meaning
WARNING: JSON resource exception org.forgerock.openidm.objset.InternalServerErrorException: org.forgerock.json.fluent.JsonException: org.forgerock.json.crypto.JsonCryptoException: key not found: ad-pwd-plugin-idm	This message indicates there is a problem with the IDM configuration; in particular, the key/alias name used to encrypt the password is unknown to IDM. You should check your configuration and verify that it is correct.
FINE: Client certificate subject CN=localhost, O=AD-pwd-plugin Self-Signed Certificate did not match allowed patterns	This message indicates that the client certificate is not recognized; you must add the certificate DN to the IDM configuration as detailed in the Keystores and certificates section.
One of the following error messages is shown: FINE: Failed to evaluate path/to/openidm/bin/defaults/script/router-authz.js script. FINEST: Resource exception: 403 Forbidden: "Access denied" org.forgerock.json.resource.ForbiddenException: Access denied ... Caused by: org.mozilla.javascript.JavaScriptException: [object Object] (/path/to/idm/bin/defaults/script/router-authz.js#484) You may also see this response: {"code":403,"reason":"Forbidden","message":"Access denied"}	These messages indicate an issue with the configuration in the access.json file (IDM 7 and later - located in /path/to/idm/conf) or the access.js file (IDM 6.x - located in /path/to/idm/script). In particular, this can happen if you have changed the default 'password' attribute in the AD password sync plugin configuration. See the Password attribute subsection below for resolution.

Error message

Meaning

WARNING: JSON resource exception org.forgerock.openidm.objset.InternalServerErrorException: org.forgerock.json.fluent.JsonException: org.forgerock.json.crypto.JsonCryptoException: key not found: ad-pwd-plugin-idm

This message indicates there is a problem with the IDM configuration; in particular, the key/alias name used to encrypt the password is unknown to IDM. You should check your configuration and verify that it is correct.

FINE: Client certificate subject CN=localhost, O=AD-pwd-plugin Self-Signed Certificate did not match allowed patterns

This message indicates that the client certificate is not recognized; you must add the certificate DN to the IDM configuration as detailed in the Keystores and certificates section.

One of the following error messages is shown: FINE: Failed to evaluate path/to/openidm/bin/defaults/script/router-authz.js script. FINEST: Resource exception: 403 Forbidden: "Access denied" org.forgerock.json.resource.ForbiddenException: Access denied ... Caused by: org.mozilla.javascript.JavaScriptException: [object Object] (/path/to/idm/bin/defaults/script/router-authz.js#484)

You may also see this response:

{"code":403,"reason":"Forbidden","message":"Access denied"}

These messages indicate an issue with the configuration in the access.json file (IDM 7 and later - located in /path/to/idm/conf) or the access.js file (IDM 6.x - located in /path/to/idm/script).

In particular, this can happen if you have changed the default 'password' attribute in the AD password sync plugin configuration. See the Password attribute subsection below for resolution.

AD password sync plugin configuration

You can obtain the AD password sync plugin configuration using one of the following approaches:

output settings and validate.
export configuration.

Output settings and validate

The idmsync.exe --validate command output provides information about the current password synchronization service settings so these can be checked for any obvious errors. Essentially, this command outputs the values of the registry entries under the HKEY_LOCAL_MACHINE\SOFTWARE\ForgeRock\OpenIDM\PasswordSync registry key and provides feedback about them being valid or not. You should correct any that are invalid.

You can run this command as follows from the command prompt:

C:\> cd \path\to\PasswordSync C:\path\to\PasswordSync> idmsync.exe --validate

Export configuration

You can export the AD password sync plugin configuration by navigating to the HKEY_LOCAL_MACHINE\SOFTWARE\ForgeRock\OpenIDM\PasswordSync registry key in Regedit, right-clicking on PasswordSync and then selecting export followed by text format. This exports the configuration to a text file.

IDM configuration files

The following configuration files (located in the /path/to/idm/conf directory) are useful to check how synchronization has been configured on the IDM side and compare with the AD configuration:

sync.json
managed.json
authentication.json
provisioner configuration file for AD, for example provisioner.openicf-ad.json.
access.json file (IDM 7 and later - located in /path/to/idm/conf) or access.js file (IDM 6.x - located in /path/to/idm/script).
any associated scripts used to manage or transform the password attribute during sync, such as a separate onUpdate script (these are typically located in the /path/to/idm/script directory).

Note

It can be very useful to add logging to your scripts to help identify the point at which an issue can occur. Refer to How do I add logging to JavaScript files in IDM (All versions)? and How do I add logging to Groovy scripts in IDM (All versions)? for further information.

Password attribute

If you have changed the default 'password' attribute in the AD password sync plugin configuration, you must also update the access.json file or the access.js file to use the new attribute. For example, if you have changed the attribute to adPassword, you would update the customAuthz field in the following section to replace 'password' with 'adPassword'; this attribute is case sensitive:

{ "pattern" : "managed/user", "roles" : "internal/role/openidm-cert", "methods" : "patch,action", "actions" : "patch", "customAuthz" : "isQueryOneOf({'managed/user': ['for-userName']}) && restrictPatchToFields(['adPassword'])" },

Related Training

ForgeRock Identity Management Deep Dive (IDM-420)

Related Issue Tracker IDs

N/A