IDSync® for Odin Automation

Common Technical Support Topics & Questions

If you have any questions or problems not listed below or need further clarification please email [email protected] or call 800-908-7962 during normal business hours.  International support phone numbers are listed at http://www.idsync.com/support/ .

Note: Please use browser search to find key words.

Installation

Request license key

Security FAQs

How good is the security of IDSync?

Very strong, AES 256, (double salted), use of HTTPS and vetted by some of the best security people in the world having 100’s of thousands of customers in their care.

How is HTTPS used in an IDSync scenario?

We have integrations to many different products, and multiple provisioning systems and we RECOMMEND that ALL communication be performed over a secure channel.   HTTPS is used by us for all of our integrations that use HTTP as a protocol.     IDSync highly recommends HTTPS as a best practice and additional protection for any site that is deployed in production use.

What is your overall strategy as it pertains to security for IDSync?

Security and Encryption is something we take very seriously.   We do not leave the security to Windows or to SQL Server alone for these very reasons – we implement our own security using AES-256 encryption with a salt on top of that.   The security and meta-data used by IDSync is definitely encrypted, but SQL Server connections can also be encrypted quite easily as well. It has been a standard function of SQL server for quite a while.   IDSync supports SSL encrypted SQL connections and we fully support their use in a hosted environment.

The only servers that require the IDSync™ Agent are the domain controllers themselves.

What is your relationship to Microsoft’s official API?

The APIs that we use for IDSync™ are the OFFICIAL Microsoft APIs and we have been in environments where other applications that use them exist.    They are used by us and other Microsoft Partners for AD integration as a standard practice.   We can guarantee that our product will not interfere with other software products and that, as long as our API entries are not removed or modified by those products, that we will operate normally and as expected.

Can you explain what the IDSync™ Gateway is and what it is used for?

IDSync™ Gateway is a security component of IDSync™ that protects customer’s application web services (POA Web Service, for example, as seen below) from being exposed to the public internet.   Our Gateway sits just outside the Customer’s firewall and proxies communications messages to the Web Service inside the LAN.    Our Gateway provides hardened authentication that gives no textual response when a disconnection occurs due to improper authentication.   This ensures that our gateway provides no clues to the outsider attempting to connect to the Web Service.

 Authentication is accomplished over a secure SSL channel using three encrypted pieces of data including UserID/Password, Account Number, and License Key.   If any of these data elements fail to decrypt, or if they cannot be validated from their source (license key is validated against IDSync™ licensing server, Account is validated against the web service, and User ID/Password is validated against a security database) the connection is immediately severed.

General FAQs

Distribution lists are not getting updated without manual intervention.

  • Service is running under an account that appears to have domain admin rights and reflected in the process.  Create a new service account set service to run under that context.

 Creating contact fails, can’t create

  • missing email address or alias

Database Connectivity

Database will not connect

After entering the database information for IDSync click the “…” button to verify connectivity. If the program displays an error saying “connection to database failed.” verify the following settings.

1. Verify that the sql server browser service is running on the sql server. To check this open the sql server configuration manager through either the stat menu.

2. Verify that the TCP/IP and Named Pipes protocols are enabled for the server. This can also be verified in the sql server configuration manager.

3. The ID Sync database is autocreated once a connection is successful. If you receive an error stating that the account does not have sufficient permissions to create the database change the user name and password field with the necessary permissions to create a new database.

4. If these settings aren’t available or unable to be changed SQL Server Express can be installed to host the IDSync database.

 AD Connectivity

If, when opening a user, distribution list, or contact in active directory, a connection error occurs open the “Syncronizer.Agent.Config” (as administrator on Windows 2008 or Windows 2012) executable which can be found in C:\program files\identity syncronizer and verify the database connection parameters are correct. If anything needs to be changed update the fields and click either apply or ok.

Tab Error

If you get general composition error when opening up properties in Active Directory:

  1. Close ADUC
  2. Then run the “Syncronizer.ManagementConsole.Installer” executable in C:\program files\identity syncronizer (as administrator on server 2008 or 2012). Make sure the “Enable AD Users and Computers” checkbox is checked and click “OK”

3.   After the program completes it will display a dialog stating installation is complete. Click “OK” on the dialog and open ADUC to verify the parallels tab is available.

Error When Opening the IDSync Management Studio

If the following error is displayed while opening the IDSync management studio:

 

Click “continue”. This will not affect the operation of the program.

Error Validating Key

Resolution: Add an exception to  proxy server to allow anonymous access to the IDSync licensing service

Password FAQs

Manual Password Agent Installation

If the IDSync password agent does not get pushed successfully to a domain controller the following process can be used to install manually.

1. Run “IDSync.msi” from C:\

2. If this file is not available it can be found on the machine that the transaction processing service is installed on in C:\program files\identity syncronizer\plugins\installers\x86 for 32 bit machines or C:\program files\identity syncronizer\plugins\installers\x64 for 64 bit machines

3. Select a “custom installation” and disable the following options

 

4. During the installation process, depending on what data was able to be pushed from the service machine, there may be errors displayed. Click ok or continue on these errors to complete the installation process.

5. Once the installation process is complete run the “Syncronizer.Agent.Config” (as administrator on Windows 2008 or Windows 2012) executable which can be found in C:\program files\identity syncronizer and enter the database connection information. After the installation is complete the domain controller will need to be rebooted to begin capturing passwords.

Passwords are not getting captured

If “change password” transactions are not getting captured check the following items on the domain controllers

1. Has the domain controller been rebooted after the installation of the password agent? If not it will need to be restarted before passwords can be captured.

2. Is password capture enabled? Open “Syncronizer.Agent.Config.exe” found in C:\program files\identity syncronizer and verify that “Enable synchronization” checkbox is checked if it is not check it and click apply or ok. If the “Identity Syncronizer – Agent Service” is running it will need to be restarted for the change to apply

 

3. Is the “Identity Syncronizer – Agent Service” running? If not it will need to be started.

Creating User Accounts Without A Password

Paralles cannot create a new user account without a password. If a transaction is submitted to create a new user account and IDSync does not have a password for the user the transactions will fail. To create the account generate a change password transaction and, once it has processed re-enable the transactions in the IDSync management studio to create the user and they should process.

LAN FAQs

 Firewall was not configured to allow outgoing traffic to either the licensing server or gateway. 

  • Modifiy firewall to allow communications

DCs cannot connect to SQL server.

  • Open ports on windows firewall on the machine hosting SQL server.
  • Turn off windows firewall

MMC tabs cannot connect to database.

  • Check the firewall on the machine hosting the SQL server and verify connectivity

User linking not returning data.

  • Open firewall to allow DC’s to access gateway/licensing service

 

Domain Controller FAQs

What versions of MS SQL Server are supported?

SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012

Is IDSync supported in 2003 Active Directory?

Yes

Is IDSync compatible with Windows Server 2003?

Yes

Is it possible to set up IDSync in a non-default instance of SQL Express?

Yes

Does IDSync support complex domains?

Yes, extra configuration required

Password changes not getting captured when a change is made on Non-DC machine by a user without domian admin credentials.

  • Work-around by running ADUC with domain admin credencials

License Update Available

 Coming soon

  last updated: 01/15/14