• State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 95 subscribers
  • Views 4415 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue saving DGE service account in manager 7.1.2

pacman_d
over 7 years ago

Hey Folks,

So I have installed the DGE bits and configured my AD Accounts as the data governance administrators. The Data Governance views in manager render the managed hosts as expected. 

 

The next step however (keep me honest here) is to add the service account, and start installing agents on hosts. The problem I am having is that when I attempt to set the service account in our domain, I am getting a bad password error.

I have quadruple checked the password and I know that it is good.

This is the error:

 

[1025012] Object (QDGE-Service-User) could not be saved!
[810306] Error during execution of 'OnSaving' in logic module 'QAMServiceAccount'.
	at VI.DB.Entities.EntitySingleDbObject.<>c__DisplayClass36_0.<<Save>b__0>d.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.EventUnitOfWork.<PutAsync>d__2.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.PermissionsUnitOfWork.<PutAsync>d__10.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.EventUnitOfWork.<PutAsync>d__2.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.UnitOfWorkImpl.<PutAsync>d__37.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.DbEntitySink.<PutAsync>d__15.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.InteractiveSaveEntityStrategy.<OnSavingAsync>d__3.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Entities.CombinedEntityLogic.<_CollectChangesAsync>d__28.MoveNext()
Quest.Titan.Common.Exceptions.ExternalException: System.ComponentModel.Win32Exception: The user name or password is incorrect
	at VI.DB.Entities.CombinedEntityLogic.<_CollectChangesAsync>d__28.MoveNext()
	at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
	--- End of stack trace from previous location where exception was thrown ---
	at VI.DB.Customizer.<VI-DB-Entities-IEntityLogic-OnSavingAsync>d__71.MoveNext()
	at VI.DB.Customizer._CollectEvents(IEntity entity, Action action)
	at Quest.Titan.Client.Q1IM.Customizer.QAMServiceAccount.OnSaving()

 

What am I missing here? I was following your video tutorials as I was configuring this so perhaps I missed a step.

Would be nice to demonstrate what is possible here with my colleagues but I cant get past this one thing.

  • A couple of notes:
     
    • I have tried logging into manager with employee role based, AD Role based, and system account based
      • I do not have a system account mapped to my person record however, could that be an issue?

    • Logged into the management server with my domain admin account

    • This domain admin account is linked to my person record.

    • My person record has all of the administrator roles, including the Data Governance Administrator role.
       
    • This is also being installed with an existing Identity Manager Instance (same version)

Any insights would be most welcome.

 

Thanks!

Parents
  • +1 over 7 years ago

    Hey Matt,

    So this issue turned out to be an issue with the encryption configuration on the DGE server. Since I am encrypting my database with the RSA key, they DGE service was not sending the correct password to the directory.

    While the OneIdentity service that runs on the same server had the encryption key properly assigned, the DGE service had no way to reconcile it. I was wondering how it was going to understand the encrypted data and assumed that it was pulling this from the DGE wizard. Well clearly I was wrong about that.

    So to get this working I (on the DGE server):

    • Copied the RSA key file to the system32 directory (I tried using the path to the file on the server to no avail. Maybe it needed a UNC path, but I just opted for copying to the System32 directory.).

     

    • THen, i ran the following:
        
      • Set-QEncryptionOptions -File OIM.key

     

    • After which I set the service account via the PowerShell CMDLet

      • Add-QServiceAccount -AccountDomain "LAB.COM" -AccountName "US-QDGE-LAB-APP" -Password 'PASSWORDHERE'
The account has been added as a service account.


ServiceAccountId          : 0644F3A3-C4BC-4B00-B38D-##########
AccountSid                : S-1-5-21-########################
UserDomainName            : LAB
UserName                  : US-QDGE-LAB-APP
UserPrincipalName         : US-QDGE-LAB-APP@lab.com
Description               : 
IsDefaultObjectResolution : False
StatusDetailMessage       : 
Status                    : OK
CanManageDomains          : True
ServiceAccountName        : LAB\US-QDGE-LAB-APP

    BOOM...

     

    After that it was smooth sailing.

     

    Thanks again for all of your help. Hopefully this helps someone else as well.

Reply
  • +1 over 7 years ago

    Hey Matt,

    So this issue turned out to be an issue with the encryption configuration on the DGE server. Since I am encrypting my database with the RSA key, they DGE service was not sending the correct password to the directory.

    While the OneIdentity service that runs on the same server had the encryption key properly assigned, the DGE service had no way to reconcile it. I was wondering how it was going to understand the encrypted data and assumed that it was pulling this from the DGE wizard. Well clearly I was wrong about that.

    So to get this working I (on the DGE server):

    • Copied the RSA key file to the system32 directory (I tried using the path to the file on the server to no avail. Maybe it needed a UNC path, but I just opted for copying to the System32 directory.).

     

    • THen, i ran the following:
        
      • Set-QEncryptionOptions -File OIM.key

     

    • After which I set the service account via the PowerShell CMDLet

      • Add-QServiceAccount -AccountDomain "LAB.COM" -AccountName "US-QDGE-LAB-APP" -Password 'PASSWORDHERE'
The account has been added as a service account.


ServiceAccountId          : 0644F3A3-C4BC-4B00-B38D-##########
AccountSid                : S-1-5-21-########################
UserDomainName            : LAB
UserName                  : US-QDGE-LAB-APP
UserPrincipalName         : US-QDGE-LAB-APP@lab.com
Description               : 
IsDefaultObjectResolution : False
StatusDetailMessage       : 
Status                    : OK
CanManageDomains          : True
ServiceAccountName        : LAB\US-QDGE-LAB-APP

    BOOM...

     

    After that it was smooth sailing.

     

    Thanks again for all of your help. Hopefully this helps someone else as well.

Children
No Data