• State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 95 subscribers
  • Views 5715 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Password Capture Agent - PasswordChangeNotify()

rolf.joggi
over 7 years ago

Hi all

I've just installed the PCA for OneIdentity Manager v7.1.1 (D1IMPWCaptureAgent.dll = 2.0.0.2).

The configuration is made as follows:

WebClient.AuthenticationType = WindowsIntegrated
Backend.AuthenticationModule = DialogUser
Backend.Credential = viCaptureAgent

When I open the SOAP Service from the Domain controller's IE (https://domain.fqdn.ch/D1IMSoapService/Q1IMService.asmx?wsdl) it works like a charm. Opening the ObjectBrowser as the SystemAccount viCaptureAgent also works. However when I Change a Password (i.E. PWReset from das.msc) the Eventviewer gets the following Error

Error:

System-Code: -1 (0xFFFFFFFF)

Job failed:

Job Id='2017.02.28 09:50:33.514' User='username' failed:

Within Service: Exception caught within call 'PasswordChangeNotify()':

System.TimeoutException: The request channel timed out while waiting for a reply after 00:00:17.9217439. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'domain.fqdn.ch/.../Q1IMService.asmx' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out

at System.Net.HttpWebRequest.GetResponse()

at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout).........

 

The IISLog on the OneIdentity Gatewayserver which has the SoapService installed Shows

2017-02-28 09:56:50 10.1.96.92 GET /D1IMSoapService/Q1IMService.asmx op=CallFunction 443 PTST\callingUser 10.10.10.10 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://domain.fqdn.ch/D1IMSoapService/Q1IMService.asmx 200 0 0 46
2017-02-28 09:57:25 10.1.96.92 POST /D1IMSoapService/Q1IMService.asmx - 443 - 10.10.10.10 - - 401 2 5 0
2017-02-28 10:00:29 10.1.96.92 POST /D1IMSoapService/Q1IMService.asmx - 443 - 10.10.10.10 - - 401 2 5 0

 

 

Why can I test it successfully but when the PCA tries to use the Service it get's a 401 written into the IIS-Log. Can someone drive me to the right direction?

Thanks a lot
Kind regards,

Rolf Joggi

  • +1 over 7 years ago
    Hi Rolf,

    When accessing the Soap Service with your browser on the Domain Controller, you are most likely using your account or any other administrative account, to do so. The Password Capture Agent Service that is transmitting the changes to the Soap Service on the other hand, is most likely running as Local System.

    Could you please check your IIS authorization rules?

    The default if unchanged would be "Allow -> All Users" but should be changed if you want to access it as a Machine Account.

    Please try editing the Authorization rules as follows:
    1. Allow -> Domain Controller
    2. Allow -> Other Group of Users you want access with
    3. Deny -> All Users

    This should allow the Domain Controller Machine Account to access the Soap webservice.

    We haven't had any timeout issues in our labs, and even though you would get an unauthorized, that should not cause a timeout, because the request is answered with HTTP401.
  • 0 over 7 years ago
    Hi Dominic

    Finally I found the root of the Problem. It was the automatically detect Proxy Settings which is set by GPO here @ customers site. After removing that and configure the authorization rules as you described it worked as designed.

    Thanks for your help
  • 0 over 7 years ago
    Great,

    Thanks for your feedback.