Search This Blog

SBL-DAT-00705: Unable to bind to the ADSI object '%1'.

Applies to:

Product Release: V8 (Enterprise)
Version: 8.0 [20405]
Database: Microsoft SQL Server 2005
Application Server OS: Microsoft Windows 2003 Server SP2
Database Server OS: Microsoft Windows 2003 Server SP2

This document was previously published as Siebel SR 38-3401398171.

Symptoms

SBL-DAT-00705

I have gone thru the ADSI wizard and I get the following message in my log files:
" SBL-DAT-00705: Unable to bind to the ADSI object 'LDAP://CHANGE_ME/OU=Resource,OU=Corporate,DC=jazzpharma,DC=com'

I have rerun the security wizard nurmerous times, and I do not see how I can set this value.

Please note: the system was working fine prior to running th security ADSI wizard

I have attached 2 files, one of them are the logs from our system, the second file is the steps with screenshots of everything that I did to implement ADSI security.

How do I get ADSI working ?

Solution

Message 1

For the benefit of other readers,


Customer was implementing Siebel ADSI Security Adapter Authentication version 8.0 using the Siebel Enterprise Configuration wizard and following information in document. Siebel Security Guide for version 8.0, Rev. A, chapter 6: “Security Adapter Authentication, section “Configuring LDAP/ADSI Security Adapter”. After the wizard has finished, customer started Siebel Server and received the error message below in Object Manager log file when trying to connect using Siebel Web Client:

" SBL-DAT-00705: Unable to bind to the ADSI object 'LDAP://CHANGE_ME/OU=Resource,OU=Corporate,DC=jazzpharma,DC=com'”

Instead of CHANGE_ME information, LDAP:// string should have the server domain name. This behavior was reproducible by Siebel Technical Support, after domain name value was inserted in “Directory Server Domain Name” dialog box, this information was not updated in “Server Name” (ServerName) parameter for ADSI Security Adapter (ADSISecAdpt) profile. This information can be confirmed by executing the server manager command line below:

srvrmgr> list param ServerName for named subsystem ADSISecAdpt

Above command will return value for ServerName parameter.

Change Request 12-1KB448I has been logged to address this Product Defect and populate ServerName parameter with correct information when using Siebel Enterprise Configuration wizard for version 8.0.

[Continue 1]

Message 2

[Continued 1]

The workaround is to use srvrmgr command line below in order to update ServerName parameter:

srvrmgr> change param ServerName=<server domain name> for named subsystem ADSISecAdpt

Above command can be executed after executing Siebel Enterprise Configuration wizard to setup ADSISecAdpt.


Customer also noticed the following unexpected behaviors when running the configuration wizard:

1. Siebel ADSI Security Adapter version 8.0 does not support “Database User Credentials Caching” by using “Shared DB Username” (SharedDBUsername) and “Shared DB Password” (SharedDBPassword” parameters. These parameters are available only for Siebel LDAP Security Adapter version 8.0. Change Request 12-1KB44BW to remove “Database User Credentials Caching” dialog box from wizard when using ADSISecAdpt.

2. Customer tried to revert back to Database Authentication using Siebel Enterprise Configuration wizard. After choosing “Database Authentication (default)” option in “Enterprise Security Authentication Level or Type” dialog box, enterprise parameters “Security Adapter Name” (SecAdptName) and “Security Adapter Mode” (SecAdptMode) were not updated to use Database Authentication (DBSecAdpt). Change Request 12-1KC5S82 has been opened to address Siebel Enterprise Configuration wizard to modify existent Siebel Enterprise Server to use Database Authentication.

[Continue 2]

Message 3

[Continued 2]

3. Customer was not able to find any option in configuration wizards to change Authentication parameters at component level. Change Request 12-1KC5S8X has been opened to allow Siebel Enterprise Configuration or Siebel Server Configuration wizards to modify security parameters at component level.

Workaround for Change Requests 12-1KC5S82 and 12-1KC5S8X is to use srvrmgr command line utility or user interface to change the parameters.


Thank you,


Siebel Technical Support


Applies to:

Siebel System Software - Version: 7.7.2.7 SIA [18376] to 8.1.1 [21112] - Release: V7 to V8

Information in this document applies to any platform.

Symptoms

Customer is trying to bind to an Active Directory server using the ADSISecAdpt and is getting the following errors:

SBL-SEC-10018: Unable to bind to the ADSI object 'LDAP://bose.com/DC=bose,DC=com'.(SBL-DAT-00705)


SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.


SBL-SVC-00208: Please login first.

Review of the ADSI return code shows a return of 8007052e.

Cause

The application user password specified in the ADSISecAdptADSISecAdpt profile is incorrect.

Specific observations made in this case that support this finding were:


1. The return error code 8007052e is an invalid user DN or password error.

2. All other relevant parameters in the ADSISecAdptADSISecAdpt match between a working environment and the non-working environment.

3. The encrypted values of the application user password parameter are different in the two environments.  This can be checked by reviewing the siebns.dat file in a text editor and searching for ADSISecAdptADSISecAdpt and finding the password parameter.

Solution

This behavior can be corrected by fixing the application user password in the ADSISecAdpt profile.  To do this:

1. Login to an employee facing application as SADMIN or another user with administrative responsibilities.

2. Navigate to Site Map > Administration - Server Configuration > Enterprises > Profile Configuration

3. Locate the ADSISecAdpt profile.

4. Locate the Application User Password parameter.

5. Carefully re-enter the password for the application user in plain text (the system will automatically encrypt it).

6. Save the record.

Then close out of all browser windows (to make sure you get a clean object manager task) and retest the behavior. If it still gives the error, you may want to stop and restart the Siebel Server and Gateway services to make sure the new values loaded properly.


Applies to:

Siebel Sales - Version: 7.7 [18026] BETA to 8.0.0.2 [20412] - Release: V7 to V8
Generic Windows

Symptoms

When trying to authenticate with the ADSI security adapter (ADSISecAdpt) using SSL between the security adapter and external directory, the user is getting the following error:

SBL-SEC-10018: Unable to bind to the ADSI object 'LDAP://fiusagntldap.usa-ed.net/DC=us,DC=ad,DC=usa-ed,DC=net'.(SBL-DAT-00705)

ADSISecAdpt authentication without SSL enabled on the connection works properly.

Cause

Assuming that SSL is set up properly on the Active Directory server (which is outside the scope of Oracle GCS), the cause of this behavior is most likely the certificate has not been installed properly (i.e. as the Siebel Server service account) on the Siebel application server(s).  Since Windows maintains separate certificate stores for each user, it is necessary to make sure that the certificates are installed while logged into the physical server as the same user which the Siebel Server service runs under.

Solution

Please login to the physical machine that the Siebel application server runs on as the user specified in the Services control panel for the Siebel Server service. Then import the necessary SSL certificate(s) and retest the behavior.

References

NOTE:477959.1 - How Can You Enable Event Logging for the Siebel ADSI/LDAP/DB Security Adapter with Siebel eBusiness Applications Release 7.7, 7.8 and 8.0?

Applies to:

Product Release: V7 (Enterprise)
Version: 7.7.2.2 [18356]
Database: Microsoft SQL Server 2000 SP3
Application Server OS: Microsoft Windows 2000 Advanced Server SP 3
Database Server OS: Microsoft Windows 2000 Advanced Server SP 3

This document was previously published as Siebel SR 38-2000800221.

Symptoms

SBL-DAT-00705

We are not able to connect to the server from a dedicated client using hashed password in ADSI authentication? However, we have no issues when we use clear text password. We have tried the following l three password encryption methods but always get "Unable to bind ADSI" error message in the log file

i) hashpwd.exe    using RSA algorithm
ii) hashpwd.exe using Siebel proprietary algorithm
iii) mangle.exe

Here is ADSI section from the sfs.cfg file on the dedicated client.
*****************************************************************************************************************
[InfraSecMgr]
SecAdptName = ADSISecAdpt
SecAdptMode = ADSI


[ADSISecAdpt]
SecAdptDllName = sscfadsi
ServerName                  = arcdrohq.ri.redcross.net
Port                        = 389
BaseDN                      = DC=arcdrohq,DC=ri,DC=redcross,DC=net
UsernameAttributeType       = sAMAccountName
PasswordAttributeType       = userPassword
CredentialsAttributeType    = arcDstipDbaccount
RolesAttributeType          =
SslDatabase                 =
PropagateChange = FALSE
CRC =
SingleSignOn               = FALSE
TrustToken                  =
UseAdapterUsername          = FALSE
SiebelUsernameAttributeType =
HashUserPwd = TRUE
; the remaining are environment specific
;Test
SharedCredentialsDN        = CN=DSTIPTRN-APPUSER,OU=DSTIPTRN,OU=DSTIPCRMDEV,DC=arcdrohq,DC=ri,DC=redcross,DC=net
ApplicationUser             = CN=DSTIPTRN-PPUSER,OU=DSTIPTRN,OU=DSTIPCRMDEV,DC=arcdrohq,DC=ri,DC=redcross,DC=net
ApplicationPassword = 9VbmkeU/vMvYqc3QQz+0+G0rpzc=
;ApplicationPassword = <Clear Text>

*****************************************************************************************************************

Regards,
Jamil Rehman

Solution

Message 1

For the benefit of other readers,


Customer had the requirement of encrypting the ApplicationPassword parameter available in the client configuration file (cfg) when using Siebel ADSI Security Adapter with Siebel Dedicated Web Client version 7.7.2.2. This parameter stores the Application User password in clean text format in client cfg file.

In previous Siebel version 7.5.x, it was possible to use parameter EncryptApplicationPassword to maintain an encrypted password in ADSI Directory for the Application User. However, in Siebel version 7.7.x, this parameter is not available.

Change Request 12-XMWHUC and Fix Request 12-XMWHYP have been logged to address this Product Defect, and it has been resolved with Quick Fix version 7.7.2.2 QF0231, where the parameter ApplicationPassword is now stored in a encrypted format in client cfg file for Siebel Dedicated We Client when using Siebel ADSI Security Adapter.


Thank you,


Siebel Technical Support


No comments:

Post a Comment