Release Notes

 

 

IBM® Security

Active Directory 64-Bit Adapter

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Version 7.1.27

 

Edition notice

 

Note:  This edition applies to versions 6.0 and 7.0 of the IBM Security Identity Manager and version 5.2 of the IBM Identity Governance and Intelligence and to all subsequent releases and modifications until otherwise indicated in new editions.

 

© Copyright IBM Corporation 2009, 2013, 2014, 2015, 2016,2017

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

 

 


Contents

Preface. 3

Adapter Features and Purpose. 3

Service Groups Management 3

Contents of this Release. 4

Adapter Version. 4

New Features. 5

Closed Issues. 7

Known Issues. 10

Installation and Configuration Notes. 12

Corrections to Installation Guide. 12

Exchange Mailbox Security. 12

Chapter 4. Adapter installation. 12

Configuration Notes. 12

Table 14. Registry key descriptions. 12

Managed Folder Mailbox Policy. 12

Chapter 6 - Configuring the adapter for IBM Security Identity Manager 13

Table 20. Attributes, descriptions, and corresponding data types. 13

Corrections to User Guide. 13

Force Password Change. 13

Customizing or Extending Adapter Features. 13

Getting Started. 14

Support for Customized Adapters. 14

Troubleshooting. 14

Log Output From Exchange and Lync powershell calls. 14

Exchange connection issues. 14

Installation Platform.. 16

Notices. 16

Trademarks. 18


Preface

Welcome to the IBM Security Active Directory 64-bit (WinAD64) Adapter.

 

These Release Notes contain information for the following products that was not available when the IBM Security Identity Manager manuals were printed:

 

 

 

Adapter Features and Purpose

The Active Directory Adapter is designed to create and manage accounts on Microsoft Active Directory and mailboxes on Exchange and Lync (Skype for Business). The adapter runs in “agentless" mode and communicates using Microsoft ADSI API and PowerShell (for exchange communication) to the systems being managed.

 

IBM recommends the installation of this adapter in “agentless" mode on a 64-bit OS and computer in the domain being managed. Installation on a Domain Controller is not recommended. A single copy of the adapter can handle multiple Identity Manager Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity Manager Provisioning Policies and Approval Workflow process. Please refer to the Identity Manager Information Center for a discussion of these topics.

 

The IBM Security adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.

License Agreement

Review and agree to the terms of the IBM Security Identity Manager License prior to using this product. The license can be viewed from the "license" folder included in the product package.

 

Service Groups Management

The ability to manage service groups is a feature introduced prior to IBM Security Identity Manager 6.0.  By service groups, ISIM is referring to any logical entity that can group accounts together on the managed resource.

 

Managing service groups implies the following:

 

            Create service groups on the managed resource.

            Modify attribute of a service group.

            Delete a service group.

 

            Note that service group name change is not supported in ISIM 6.0 release.

           

The Windows Active Directory x64 adapter supports service groups management.

 


Contents of this Release

Adapter Version

Component

Version

Build Date

2017 September 13 18.19.45

Adapter Version

7.1.27

Component Versions

Adapter Build:  7.1.27

Profile 7.1.27

ADK 7.0.3

 

Documentation

Check the IBM Security Identity Manager 6.0 Knowledge Center for the following guide(s):

IBM Security Active Directory Adapter with 64-Bit Support Installation and Configuration Guide

 


New Features

Enhancement # (FITS)

Description

 

 

Items included in 7.1.27 release

50831

50763

Windows AD adapter to support mailbox attribute msExchRecipientTypeDetails and msExchRemoteRecipientType in integer8 format

 

50988

Add businessCategory as a regular adapter attribute

 

43334

Enhance AD Adapter to detect user's email status for remote mailbox (O365) and manage proxy address and other exchange attrib

 

internal

Added support for remote mailbox to support Office 365 mailboxes in a hybrid Exchange environment

 

internal

Modified installer to default to SSL enabled

 

 

 

Items included in 7.1.26 release

44871

Added support for lync Mobility and Persistent Chat policies

 

internal

Now supports FIPS compliant mode

 

 

 

Items included in 7.1.25 release

internal

This release includes ADK 7.0.3 which update openssl to 1.0.2f to address a vulnerability to excessive CPU utilization

 

 

 

Items included in 7.1.24 release

internal

This release officially supports Windows 2016 server.  Both as a managed resource and an installation platform

 

 

 

Items included in 7.1.23 release

internal

Now using ADK 7.0.1 with updated openSSL, ICU and SQLite all built on Visual Studio 2012.  Adapter is now built on Visual Studio 2012 using .NET 4.5.  It no longer requires .NET 3.5 to be installed.

 

 

 

Items included in 7.0.20 release

42641

 Adapter Support for Exchange 2016 and Lync 2015  

 

42071 

Second and following Mailbox Move Requests Fail on Exchange 2013

 

43225 

Reduce IO in WinAD Adapter for PW change

 

 

 

Items included in 7.0.18 release

38935

Support "Manager can update membership list" attribute for AD Group

                                 

38934

Support display name attribute for AD Groups

                                 

39511

WinAD Adapter does not reconcile Lync Registry Pools from AD

                                 

40129

ISIM AD Adapter Customization for Group Object class
                                 

internal

Updated resource.def in profile to support external roles

                                 

 

 

Items included in initial release (7.0.16)

 

30303

 

ISIM AD adapter unable to set Mail box Retention policy check    

 

internal

 

Now using ADK 6.0.1027 which provides an option disabling sslv3.  There is also support for setting the list of ciphers used.

 

internal

 

The Domain Admin and Domain Password fields have been removed from the service form in the profile.  They can still be used, but the preferred method is to set the logon account on the adapter windows service.

 

 

Items included in 6.0.15 release

 

34001

 

Added support for Exchange Automatic Mailbox Distribution.  Supplying only eradealias without a mail store or external email address allows Exchange to determine the mail store to use based on load balancing.

 

31924

 

Prevent deletion of user accounts that have a mailbox that is under litigation hold

 

32482

 

Add support for msExchCoManagedByLink to group schema

 

29995

 

Add support for msExchRequireAuthToSendTo to group schema

 

 

Updated logging to include output from Lync and Exchange modules

 

 

Items included in 6.0.14 release

 

 

The Password Synchronization plug-in is now released as a separate package.  It is no longer bundled in with the AD Adapter 

 

 

Includes updated ADK 6.0.1020 which includes update to prevent password values from being written to the log on password change failures

 

 

Items included in 6.0.13 release

 

 

Includes updated ADK 6.0.1019 which includes version 1.0.1h-fips of openSSL.


Closed Issues

CMVC#

APAR#

PMR# / Description

 

 

 

Items closed in 7.1.27 release

 

01351,SGC,740

 

 

Error 0x00000037 and 0x80004005 trying to set eradnochangepassword

 

 

IV98275

WRONG SYNTAX FOR ERADPREFERREDEXCHANGESERVERS AND ERADPREFERREDLYNCSERVERS IN TARGETPROFILE.JSON

 

 

 

IV97886

IV98275

 ADprofile.jar file from 7.1.26 package won't import on IGI 5.2.3 

 

 

 

Items closed in 7.1.26 release

 

 

IV96432

 

 

IN HYBRID EXCHG & O365, CREATING MAIL USER GETS REMOTE ONE BUT UPON MODIFY EXCHG ATTR - GETS LOCAL MAILBOX

 

 

 

Items closed in 7.1.25 release

 

 

IV85621 

 

WINAD ADAPTER: PASS PREFERRED LYNC SERVERS TO LYNC MODULE

 

 

 

Items closed in 7.0.21 release

 

 

IV84875

reponed

 

ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES

 

 

 

Items closed in 7.0.20 release

 

 

IV84875           

 

ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES

 

75802,227,000

 

           

 

Issue with erADGrpWriteMembers attribute value on reconcile returning both true and false.

 

 

04723,001,862

 

           

 

WinAD Adapter Release Notes Wrong+Missing Information

 

 

 

 

Items closed in 7.0.19 release

 

 

IV82951           

 

SETTING NTFS HOME DIRECTORY PERMISSIONS FAILS AFTER UPGRADE TO WINAD64 6.0.18

 

 

 

Items closed in 7.0.18 release

 

52479,004,000

 

           

 

ITIM adapter deleting the $IPC share accidentally

 

 

 

 

IV79632           

 

ACTIVE DIRECTORY USERS WITH COUNTRY CODE 428 ARE CREATED WITH COUNTRY LATIVA INSTEAD OF LATVIA.

 

 

 

IV79641

 

AD ADAPTER INTERMITTENTLY CRASHES DURING RECONCILIATION

 

 

 

IV81775           

 

INVALID PARAMETER GENERATED FOR EXCHANGE 2013 PROVISIONING (-ManagedFolderMailboxPolicyAllowed)

 

 

 

Items closed in 7.0.17 release

 

 

 

IV78917

 

ISSUES WHILE ENABLING LYNC FOR IDS WHICH HAVE SPECIAL 
CHARACTERS IN THEIR EMAIL ADDRESS.

 

 

 

IV78758

 

WINAD ADAPTER CRASHING WHILE CALLING GETLYNCUSER DURING RECONCILE

 

 

 

IV78492

 

AD ADAPTER CRASH IF PROXY ADDRESS IS NOT VALID.

 

 

 

IV78286

 

IADSTSUSEREX INTERFACE NOT WORKING TO RETRIEVE WTS ATTRIBUTES

 

 

 

Items closed in initial release (7.0.16)

 

 

 

IV73908

 

Event Notification no more working if USN-Changed attribute exceeds 7 digits

 

 

 

Items closed in 6.0.15 release

 

92067,69G,760

 

Test connection fails.  Test connection now only reports warning if the Domain/Forest functional level cannot be determined

 

06429,707,707

 

Change the default behavior for eradgroup to be add/delete rather than replace

 

 

LyncDisableSearch registry setting in wrong location after install

 

 

Items closed in 6.0.14 release

 

13541,035,724

 

WTS attributes and recon error 1317

 

 

IV65653

WinAD adapter reports success in case of AD group interface problems during reconciliation

 

 

IV67715

eradlynctelephony and eradlynclineurl fail on modify to Lync

 

38947,031,724

CVE-2014-8923

 

WinAD adapter logs password in clear text on password change failures.  This addresses IBM Security Bulletin CVE-2014-8923.

 

 

 

Items closed in 6.0.13 release

 

 

IV61397

Thread logging option not showing in WinAD adapter agentcfg program

 

 

IV62916

WinAD adapter recon fails when AD cannot provide information about an attribute's schema

 

 

IV63714

WinAD adapter crash if eradlynctelephony is NULL


Known Issues

CMVC#

APAR#

PMR# / Description

N/A

N/A

 

Support for Exchange and Lync is provided using remote powershell connections to the Exchange or Lync server.  There is a fixed limit of 5 concurrent connections to a remote powershell.  Setting the thread count to higher than the default of 3 could result in some Exchange or Lync attributes failing to be set under heavy loads.

 

N/A

N/A

 

Support for erADEAllowedAddressList and erADERstrctAdrsLs is no longer available for Exchange 2007.

 

N/A

N/A

 

Service form fields:

 

  • Administration User Account
  • Administration User Password

 

See “Corrections to Installation Guide", “

The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange.  This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected.  The adapter now uses the same values for all Exchange security settings.  1=Allow, 2=Deny and 0 or no value=None.

 

Chapter 4. Adapter installation" section below.

 

 

N/A

 

N/A

 

Class 3 Certificates

Class 3 secure server CA-G2 certs are not written properly to “DamlCACerts.pem" file through CertTool.exe Utility. The certificate data is written twice between BEGIN CERTIFICATE and END CERTIFICATE.

 

Work around: To correct this issue, please follow the below steps and edit “DamlCACerts.pem" file present in “<Adapter installation path>\data" folder.

 

Step 1. Start the CertTool utility

 

Step 2. Import the class 3 CA certificate by using “F" option from the main menu of CertTool Utility.

 

Step 3. Once the class 3 CA certificate is successfully installed, open “DamlCACerts.pem” file stored in the “<Adapter installed path>\data" folder using text editor.

 

Step 4. Delete the class 3 CA certificate data (i.e. content between BEGIN CERTIFICATE and END CERTIFICATE) from “DamlCACerts.pem".

 

Step 5. Open class 3 CA certificate file using text editor and copy the certificate data (between the BEGIN CERTIFICATE and END CERTIFICATE)

 

Step 6. Paste the certificate data to “DamlCACerts.pem" file between the BEGIN CERTIFICATE and END CERTIFICATE lines of same class 3 CA Certificate. If more than one class 3 certificates are installed then you can identify the certificate using issuer and subject data.

 

Step 7. Save “DamlCACerts.pem" file.

 

Step 8. To verify the “DamlCACerts.pem" file is edited properly, display certificate information by using option “E" from the main menu of CertTool Utility.

 

Please note that this issue is seen after installing class 3 CA certificate. If you correct the DamlCACerts.pem and then install another class 3 CA certificate, the newly installed class 3 CA certificate will show same issue.

 

This issue is also seen when you delete any certificate using option "G" from the main menu of CertTool utility. The delete option will affect all remaining class 3 CA certificate and you have to follow step 1 to 8 to correct the DamlCACerts.pem file.

 

 


Running in Federal Information Processing

Standards compliance mode

 

Security Identity Adapters can be operated with FIPS 140-2 certified cryptographic modules. FIPS 140-2 is a standard from the US National Institute of Standards and Technology (NIST) that applies to cryptographic modules.

 

Two FIPS 140-2 modules are used:

·        IBM JavaCrytographic Extension

·        Open SSL module

 

As a user of these modules, there is no certification implied for Security Identity Adapters. However, for the correct use of these FIPS 140-2 modules, IBM customers need to follow the instructions listed below.

 

The fipsEnable tool allows the adapter to be Federal Information Processing Standards (FIPS) compliant. The fipsEnable tool causes the adapter to use a FIPS-certified encryption library so that all cryptographic keys that are used are generated by a FIPS-compliant algorithm. Any communications with the adapter

are also secured. The tool generates the FIPS master key, enables the FIPS mode setting, changes the USE_SSL parameter to TRUE and re-encrypts the existing encrypted values for:

 

·        agentCfg key

·        ADK user name and password

·        Adapter specific encrypted registry items

 

Note: After FIPS mode is enabled, it cannot be disabled. You must reinstall the adapter, if you want to disable FIPS mode.

 

Configuring the adapter to run in FIPS mode

1. Install the adapter.

2. Run the fipsEnable tool. Issue the command:

fipsEnable -reg agentName

3. Restart the adapter.

 

Operational differences running in FIPS mode

The ADK protocol that’s used to communicate between the adapter and the ADK service provider must run in SSL mode. The fipsEnable tool sets the ADK SSL mode to TRUE. In SSL mode, however, you must install a server certificate because the fipsEnable tool does not convert an existing ADK certificate and key.

 

Note: You cannot import a PKCS12 file containing a certificate and key. You must use CertTool (option A) to create a Certificate Signing Request (CSR) and have it signed by a Certificate Authority. You can then install the signed certificate with CertTool (option B).

 

The agentCfg tool automatically detects when the adapter is running in FIPS mode and initializes the encryption library in FIPS mode. In addition, the ADK only accepts agentCfg connections from localhost (127.0.0.1).

 

Security policy

For FIPS compliance, a security policy must be defined that outlines the requirements for the end user to operate the application in a FIPS-compliant mode. The software ensures that the correct algorithms and keys are used, however, additional requirements for the environment are the responsibility of the security

officer. The security policy defines two roles, security officer and user. It defines the extent to which each of these persons can physically access the workstation, file system and configuration tools. The security of the workstation, of the file system, and of the configuration is the responsibility of the security officer.

 

Authentication roles

The FIPS security policy normally defines separate roles for a security officer and a user. In the case of an adapter, the user role is actually the IBM Security Identity Manager (ISIM) or Identity Governance and Intelligence (IGI) server. The installation and configuration of the adapter needs to be performed by the security officer.

 

It is the responsibility of the security officer to ensure that the proper physical and logical security is in place to prevent access to the adapter by unauthorized personnel. This means that the physical workstation must be in a secure location that is accessible only by persons with the authority and access privileges of the security officer. In addition, the security on the folder in which the adapter is installed must be configured to prevent access by personnel other than security officers.

 

For Windows installations, the system registry must be secured at the top-level key for the adapter to prevent access by personnel other than security officers.

 

Rules of operation

·        The replacement or modification of the adapter by unauthorized intruders is prohibited.

·        The operating system enforces authentication methods to prevent unauthorized access to adapter services.

·        All critical security parameters are verified as correct and are securely generated stored, and destroyed.

·        All host system components that can contain sensitive cryptographic data (main memory, system bus, disk storage) must be located in a secure environment.

·        The operating system is responsible for multitasking operations so that other processes cannot access the address space of the process containing the adapter. Secret or private keys that are input to or output from an application must be encrypted using a FIPS-approved algorithm

 

Remote Mailbox Support

The adapter now supports remote mailboxes.  This allows supporting Office 365 mailboxes in a hybrid Exchange environment.  A new attribute (erADEremoteAddress) has been added to the user object to support this feature.  There are now 4 ways to create a mailbox with the adapter:

 

  1. Supply a mailbox store (erADEmailboxStore) to create a standard mailbox in the local Exchange server
  2. Supply a target mail address (erADEtargetAddress) to create an external mail account
  3. Supply a valid remote mail address (erADEremoteAddress) to create a remote mailbox
  4. Don’t supply any of the above attributes, but supply any Exchange attribute ( such as erADEalias ) to create a standard mailbox and allow Exchange to decide which mail store to use.

 

To delete a mailbox, simply delete the value for the mail store or mail address.

 

The remote address and target address values use the same user attribute to store their value.  The msExchRecipientType value indicates whether the mailbox is remote or not.  Currently remote addresses appear in the target address field.  You will need to run a full reconciliation after installing this update to populate the remote addresses.

 

Installation and Configuration Notes

See the IBM Security Windows Local Account Adapter Installation and Configuration Guide for detailed instructions.

 

Corrections to Installation Guide

The following corrections to the Installation Guide apply to this release:

Exchange Mailbox Security

 

The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange.  This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected.  The adapter now uses the same values for all Exchange security settings.  1=Allow, 2=Deny and 0 or no value=None.

 

Chapter 4. Adapter installation

Section "Adapter user account creation"

 

The following paragraph is incorrect:

The account information must be supplied on the Active Directory Adapter service form. See “Creating an adapter service” on page 14 for information about creating a service.

 

Furthermore, you must not supply the account information on the service form. The following two fields on the adapter service form are not used and must be blank:

 

è The adapter account, used by the adapter to manage AD/Exchange/Lync, must be supplied on the logon tab of the Windows Adapter service that is named ISIM Active Directory Adapter.

 

Configuration Notes

The following configuration notes apply to this release:

Table 14. Registry key descriptions

 

The registry key “LyncDisableSearch" has been added to allow disabling of the Lync attributes that can significantly affect the performance during a search request. Setting this value to “TRUE" will cause the Lync attributes that are not stored as LDAP values, and must be retrieved with a powershell call, to not be included in the search results.

 

Managed Folder Mailbox Policy

 

The supporting data returned by the adapter for Managed Folder Mailbox policies may include policies that are not Managed Folder policies.  This is due to the Managed Folder policies using the same object class as other Exchange policies.  When setting a Managed Folder Mailbox policy for an account, make sure it is a Manage Folder policy.

 

Exchange retention policies and managed folder policies are object of the same class.  The only distinction is the LDAP container in which they reside.  In order to support managed folder policies, the adapter returned all object from AD that were of that object class.  This resulted in retention policies being mixed in with the managed folder policies.  Both policies are of the same object class and, when selected, use the same user attribute.  To address this issue, the adapter now examines the DN of the policy and determines if it is a retention policy or managed folder policy and issue the appropriate powershell command to set it.  For backward compatibility, if the policy type cannot be determined it is assumed to be a managed folder policy.  Both policies use the same adapter attribute 'erADEMailboxFolderPolicy'.  The label for this attribute has changed from "Managed Folder Mailbox Policy" to just "Mailbox Policy"

 

Managed folder policies and retention policies are now treated as separate items.  The type of policy is determined by the location in the Active Directory LDAP. 

 

Important note:  Setting the folder policy on Exchange 2010 requires a command line switch for the powershell cmdlet (ManagedFolderMailboxPolicyAllowed) that prevents a user prompt that would block the adapter.  This is not supported on Exchange 2013 and later and causes the setting of the policy to fail.  The adapter searches for Exchange servers in AD at startup and assumes the highest version of Exchange found.  If you have a mixed environment of 2010 and 2013 or later servers, you should set the preferred servers in the service form to point to only 2013 or later servers.  Since the adapter assumes the higher version, any policy request that gets executed on a 2010 server will not have the command line switch and will block indefinitely waiting for user input.

Chapter 6 - Configuring the adapter for IBM Security Identity Manager

 

Under the section “Adding search attributes for event notification", these attributes are now supported by the service interface:

 

erADPreferredExchangeServers

erADPreferredExchangeServersOnly

erADPreferredLyncServers

erADPreferredLyncServersOnly

 

Table 1. Attributes, descriptions, and corresponding data types

 

These items should be added to the table of attributes

 

Directory server attribute

Description

Data type

erADPreferredExchangeServers

Comma separated list of Exchange server host names

string

erADPreferredExchangeServersOnly

Flag to force using preferred servers only

string

erADPreferredLyncServers

Comma separated list of Lync server host names

string

erADPreferredLyncServersOnly

Flag to force using preferred servers only

string

erADEGroupCoManagedByLink

Multi-valued list of DNs of co-managers for a distribution group

string

erADEGrpRequireAuthToSendTo

Flag to allow only authorized users to send mail to a given distribution group

boolean

 

 

Corrections to User Guide

The following corrections to the User Guide apply to this release:

 

Force Password Change

The "Force Password Change" check box is documented incorrectly in section "Specifying controls for a user account" of the User Guide.

 

It should be as follow: "If you select the Force Password Change check box, then the adapter sets the value of the pwdLastSet attribute to 0. If you do not select the Force Password Change check box, then the adapter sets the value of the pwdLastSet attribute to -1".

 

Table 7. Options for the DAML protocol menu

A new option L should be included in the table of DAML protocol options.

 

Displays the following prompt:

 

Modify Property ‘DISABLE_SSLV3’:

 

SSLv3 is now considered an unsecure protocol.  SSLv3 is now disabled by default.  In order to enable SSLv3 you need to set this value to FALSE.  If this value does not exist or is anything other than FALSE, the SSLv3 protocol will be disabled when using SSL.

 

Chapter 7

 

The section “Modifying protocol configuration settings" should add this section for setting the SSL cipher list.

 

Setting the Cipher list

The DAML protocol now checks for an environment variable called "ISIM_ADAPTER_CIPHER_LIST".  This variable can contain a list of ciphers for the SSL protocol.  DAML uses the openSSL library to support SSL.  This cipher string is passed to openSSL during initialization.  The cipher names and the syntax can be found on the openSSL web site ( https://www.openssl.org/docs/apps/ciphers.html ).  When this string is used, it only fails if none of the ciphers can be loaded.  It is considered successful if at least one of the ciphers is loaded.

 

Customizing or Extending Adapter Features

The IBM Security Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.

 

Getting Started

Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:

 

 

 

IBM Security Identity Manager Resources:

 

Check the “Training" section of the IBM Security Identity Manager Support website for links to training, publications, and demos.

 

This adapter now supports extending the schema for group objects as well as user objects.  The procedure is the same as for user objects except that the file name used for the extended attributes is exschemagrp.txt.

 

Support for Customized Adapters

The integration to the IBM Security Identity Manager server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.

 

Troubleshooting

Log Output From Exchange and Lync powershell calls

The adapter uses a remote powershell session to communicate with Exchange and Lync servers.  This code runs as a pair COM servers in the .NET environment.  As such they do not have access to the adapter logging functions.  However, there are messages that are output to the console.  In order to see these log messages, you must run the adapter in console mode.  This is done by running the adapter directly from the command line and specifying –console as a command line option.  This causes all of the adapter logging as well as any output from the Exchange and Lync modules to be output to the console.  To capture the logging to a file, simply redirect the output of the adapter to a file.  For example:

 

>ADAgent.exe –console > adagent.log

 

Exchange connection issues

The adapter uses remote powershell sessions to manage Exchange servers.  If the adapter has issues connecting to the servers, you can manually run the powershell cmdlets that the adapter uses to troubleshoot the connection errors.

 

Use this command to create a new session on the remote server.  Replace <hostAddr> with the actual hostname or IP of the Exchange server.

 

PS>$mySession = New-PSSession -configurationname Microsoft.Exchange -connectionuri http://<hostAddr>/Powershell -authentication Kerberos

 

Use this command to import the remote session into your local session.  If this is successful, you should be able to run any Exchange cmdlets as if you were on the Exchange server.

PS>import-pssession $mySession

 

Issues when used with multiple Exchange versions

When you have both Exchange 2010 and Exchange 2013 servers in the same environment, there are some limitations that must be understood.  Requests executed on a 2013 server cannot create mailboxes on a 2010 server and vice versa.  This means that mailboxes cannot be moved from one version to the other.  It is possible to modify or delete mailboxes on either server.

Exchange 2013 and 2016 servers do not have any limitations on creating mailboxes on each other’s server.

Preferred servers

There is no API for managing Exchange servers.  They are managed through the use of powershell cmdlets.  The required cmdlets are only available on the Exchange servers.  The adapter must use a remote powershell connection to one of the servers to execute the cmdlets to process a request. 

The adapter uses the concept of preferred servers for both Exchange and Lync.  When a request comes in, the adapter must connect to a remote server to execute the request.  By default it does an LDAP search into AD to find the servers, then tries to connect.  It uses the first server that it can connect with.  If preferred servers are specified, the adapter will try to connect with those servers first.  Setting the exclusive flag to TRUE will force the adapter to only use the preferred servers.

Keep in mind that the preferred servers are where the request is executed.  This has nothing to do with where mailboxes are created.  The account attribute erMailboxStore specifies the mail database which is not necessarily on the preferred server. 

 

The preferred server option allows you to force requests to be executed on either a 2010 or 2013 server.  We recommend that all new mailboxes be created on 2013 servers with the preferred servers pointing to 2013 servers.  You could also create all new mailboxes on 2010 servers in the same way.  The adapter is not able to create new mailbox on both versions of Exchange at the same time. 

 

Installation Platform

The IBM Security Identity Manager Adapter was built and tested on the following product versions.

 

Adapter Installation Platform: 

 

Windows 7

Windows Server 2012

Windows Server 2012 R2

Windows 10

Windows Server 2016

 

 

Managed Resource:

Active Directory on Windows Server 2012

Active Directory on Windows Server 2012 R2    

Active Directory on Windows Server 2016          

 

            With optional:

 

Exchange Server 2013

Exchange Server 2016

Lync server 2013

Skype For Business Server 2015

 

 

IBM Security Identity Manager:

IBM Security Identity Manager v7.0

Notices

 

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

 

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

 

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785 U.S.A.

 

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

 

Intellectual Property Licensing

Legal and Intellectual Property Law

IBM Japan, Ltd.

1623-14, Shimotsuruma, Yamato-shi

Kanagawa 242-8502 Japan

 

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

 

Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.

 

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

 

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

 

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

 

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

 

IBM Corporation

2Z4A/101

11400 Burnet Road

Austin, TX 78758 U.S.A.

 

Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee.

 

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

 

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

 

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

 

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.

 

This information is for planning purposes only. The information herein is subject to change before the products described become available.

 

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

 

COPYRIGHT LICENSE:

 

This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written.

 

These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.

 

Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:

 

© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved.

 

If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.

Trademarks

 

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

 

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

 

IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

 

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

 

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

 

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

 

ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

 

UNIX is a registered trademark of The Open Group in the United States and other countries.

 

 

 

 

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates

 

 

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.

 

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

 

Other company, product, and service names may be trademarks or service marks of others.

 

 

End of Release Notes