Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts

Monday, September 14, 2020

Test AD authentication via PowerShell

Test password

Sometimes, it is useful to test Active Directory credentials to validate the login or the password in many scenario to test the Identity and Access management Use Cases For example, following the bulk creation of users / Update , Password Reset and many other scenario

The most commonly used actions is connecting to a remote desktop (RDP) or connecting to a webmail. However, either the number of login to be tested is too important, or no service is accessible to test an authentication.

PowerShell to the rescue

$UserName = 'vkejriwal'
$Password = 'yyyyyyyy'

Function Test-ADAuthentication {
    param(
        $username,
        $password)
    
    (New-Object DirectoryServices.DirectoryEntry "",$username,$password).psbase.name -ne $null
}

Test-ADAuthentication -username $UserName -password $password

The return values are:
  • TRUE if authentication is successful
  • FALSE if authentication failed. The reason can be:
    • bad login. 
    • bad password
    • locked out AD acount: Get-ADUser -Identity xxx -Properties LockedOut,AccountLockoutTime | Select samaccountname,LockedOut,AccountLockoutTime
    • disabled AD account: Get-ADUser -Identity xxxx | Select samaccountname,Enabled

Thursday, April 9, 2020

Sailpoint IQ Active Directory Application Integration Using OOTB Connector - Provisioning

Integration of Active Directory with SailPoint IIQ

Below Steps need to be followed for the Active Directory and Sailpoint IIQ Integration

1. Need to Install IQ Service , All the Provisioning for Active Directory from IIQ happens through the Agent  which need to be installed
follow the steps to install the IQ service 

2. Need to step the Application and Aggregate all the existing groups and the Accounts from the Active Directory

follow this steps for Setting up the Active Directory Application. 

3. Create the Filed value Rule 
follow the steps for creating field value Rule

4. Create the Provisioning form and populating the value for the fields which are mandatory for creating the Active Directory account
Object Type -->User
Account DN --> User DN
User ID --> samAccountName
User Principal Name -->Log-on Name
Password
First Name
Last Name
Full Name

Make sure below Filed Value Rule Mapping is done for all the Required fields
































5.  Creating the After Provisioning Rule
Follow the Instruction 

6. Attach this Rule in the Rule section of the Application in after Provisiong Rule , This Rule will send the Email for Success and Failure of the operation on the User.

Also make sure that this email Template are created 
Active Directory PH Accounts Joiner AD Account Creation Notification
Active Directory PH Accounts Joiner AD Failure Notification
7. Now go to the Access Request Page , Select the User --> Select any of the Entitlement belongs to this Application and Submit the request (make sure the Entitlement is requestable , then only it will be available in the Access Request Page)

8. After Submission , it will go through the Approval , which can be Track from the Track Request Page , Once the Approval is done , Provisioning will start

9. Run the Perform Maintenance Task to  Trigger the Provisioning.

10. Check the AD and see if the user is created with the values populated in filed value rule and Entitlement request will also get added  and also Email will be Triggered with the account details and the Password.

11. Run Perform Identity Request Maintenance Task to complete the Request. 

Thursday, December 12, 2019

Active Directory Authentication Error Codes

When authentication fails while using Active Directory , Active Directory returns its own error codes to indicate 
the reason for the failure; you must retrieve and handle or display these errors appropriately. 

Below are some of the most common errors you may receive, including example error messages and reasons for the error.
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
775 - account locked

525 - user not found - 
Returned when an invalid username is supplied.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 - user not found
DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.)

52e - invalid credentials
Returned when a valid username is supplied but an invalid password/credential is supplied. If this error is received, 
it will prevent most other errors from being displayed
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e - invalid credentials
DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)

530 - not permitted to logon at this time
Returned when a valid username and password/credential are supplied during times when login is restricted.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0x530 - not permitted to logon at this time
DEC: 1328 - ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.

531 - not permitted to logon from this workstation
Returned when a valid username and password/credential are supplied, but the user is restricted from using the workstation 
where the login was attempted.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
 
 
532 - password expired
Returned when a valid username is supplied, and the supplied password is valid but expired.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0x532 - password expired
DEC: 1330 - ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] - PASSWORDEXPIRED

533 - account disabled
Returned when a valid username and password/credential are supplied but the account has been disabled.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0x533 - account disabled
DEC: 1331 - ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] - ACCOUNTDISABLE

701 - account expired
Returned when a valid username and password/credential are supplied but the account has expired.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0x701 - account expired
DEC: 1793 - ERROR_ACCOUNT_EXPIRED (The user's account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] - ACCOUNTEXPIRED

773 - user must reset password
Returned when a valid username and password/credential are supplied, but the user must change their password immediately
(before logging in for the first time, or after the password was reset by an administrator).
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] - MUST_CHANGE_PASSWD

775 - account locked out
Returned when a valid username is supplied, but the account is locked out. Note that this error will be returned regardless 
of whether or not the password is invalid.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0x775 - account locked out
DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] - LOCKOUT

Thursday, October 10, 2019

Sailpoint IQ Active Directory Application Integration Using OOTB Connector - Aggregation

Integration of Active Directory with SailPoint IIQ

Check this blogpost for the Active Directory Provisioning 

Navigate to Application → New Application
Select Application Type as Active Directory-Direct and provide the Application Name and Owner Field



Enter the Forest Name , Global Catalog Server ie DC and the credentials of the service Account , Add the above entered Forest details and Click on Discover to get all the Domains Available in the Forest.



Here we can add and remove the Domain which we want to manage from this Application



Here we can add and remove account OU which we are managing from the above Domains



Here we can add Groups OU which we are managing from the above Domains



Test the Target Application Connectivity



Create the correction Rule , based on which user need to be linked from the Active Directory to the Sailpoint.



Create the Group Aggregation Task to pull all the Entitlement from Active Directory and click on save and Run.



we can check all the Entitlements Aggregated from Active Directory in Applications Entitlement Catalog




Create the Account Aggregation Task to pull all the Users Accounts from Active Directory and click on save and Run.



we can check all the Accounts Aggregated from Active Directory in Applications Edit Application Accounts Tab






Sunday, January 27, 2019

Installing and registering IQService

To install and register the IQService, do the following:
1. Create a directory D:\ IQService in the windows server to copy the IQService.zip file
2. Copy the IQService.zip file from the IdentityIQ installation into this directory. The IQService.zip file is located in identityiq_home/WEB-INF/bin/win where identityiq_home is the directory in which the identityiq.war file is expanded
3. Expand the IQService.zip
 4. Run IQService.exe -i -p 5050 to install a Windows service named IQService
   Give a different port if 5050 is already in use
5. Run regedit and traverse to following path to set the log related attributes
 HKEY_LOCAL_MACHINE\SOFTWARE\SailPoint\IQService. 
The following keys are used:
1. port - port on which to listen
2. tracefile - path to the trace file
3. tracelevel - 0 (off), 3 (verbose)
4. maxTraceFiles - maximum number of trace log files
5. traceFileSize: maximum file size of a trace file in bytes
 
6. Open the SailPoint IQService-Instance from the services and change the Log On to the service account (Domain\ServiceAccountName)
 
 7. Start the service from the Windows Services Applet or from the command line by running IQService.exe -s