cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SetPassword returns an error -2147023545

Go to solution
joachimvanpraet
Active Participant

on ‎05-18-2010 9:46 AM

0 Kudos

Hi all,

We just transported out IDM developments to production and in the first run we encounter some problems by setting the AD password. The script returns an error code -2147023545. Searching the internet we found a description for this error:

You receive an Error -2147023545 "Cannot Access Domain Info" error message

Can someone translate this to something that make sence? Do we have insufficient rights for the AD user or is there another port (beside 389) that we have to open to run this script? (=VBScript SetPAssword)

kr,

Joachim

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-18-2010 9:52 AM
0 Kudos

Hi Joachim,

the password reset function uses ADSI, which is a bit tricky in terms of connectivity when you have to travel across firefalls. I think ADSI uses DCOM, which needs a lot of ports to be opened on the firewall (http://msdn.microsoft.com/en-us/library/ms809327.aspx).

IF punching holes into your firewallis not an option, you might want to consider using a LDAPS-connection to AD and change the password with standard LDAP commands.

Best regards

Holger

Show replies
Show replies
joachimvanpraet
Active Participant
‎05-18-2010 3:22 PM
0 Kudos

Hi Holger,

The problem is that the AD and IDM server are in a different network.

When I read the documentation i see that DCOM doesn't support address translation.

One last thing before I continue, the client must be able to reach the server by its actual IP address. You cannot use DCOM through firewalls that do address translation (i.e. where a client connects to virtual address 198.252.145.1 that the firewall maps transparently to the server's actual address of, say, 192.100.81.101). This is because DCOM stores raw IP addresses in the interface marshaling packets and if the client cannot connect to the address specified in the packet, it won't work.

Unfortunately in our case we have to use address translation. I think we have to investigate te LDAPS solution.

Thanks for your reply.

kr,

Joachim

Former Member
‎05-18-2010 4:07 PM
0 Kudos

Hi Johannes,

setting the password with ADSI has also caused some problems in our project. I didn't investigate any further, as switching to LDAPS and modifying the provisioning framework was the faster option from our point of view.

When using LDAPS, you can even set the password in the pass where the user is enabled, so that you do not need a separate task for setting the password.

Best regards

Holger

Answers (0)

Ask a Question