• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know : Part I

    Posted by "" in "identity_manager, idm" on 2012-10-28

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    If you wish to synchronize user’s password from Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) then you must install  Microsoft Active Directory Password Synchronization connector

    This post covers things you must know regarding Microsoft Active Directory Password Synchronization

    • For Connector basics : ResourcesReconciliation, and Provisioning click here
    • For more information on type of connectors Java vs .NET (dot net) click here
    • For OIM connectors for Microsoft (Active DirectoryExchange, andWindows) click here
    • For OIM-OID connector architecture click here
    • For OIM-Oracle eBusiness Suite connector click here
    • For latest version of MS-AD password Sync and patch click here
    Things you must know for Microsoft Active Directory Password Synchronization connector
    1. For Microsoft Active Directory Password Synchronization connector , Microsoft Active Directory User Management (UM) connector is pre-requisite. (You must first install Microsoft Active Directory User Management connector)
    2. Microsoft Active Directory User Management connector’s latest version (as of Sep 2012) is where as Microsoft Active Directory Password Synchronization connector’s latest version (as of Sep 2012) is
    3. You can configure OIM 11g with Microsoft Active Directory User Management (MS-UM) and  Microsoft Active Directory Password Synchronization
    4. Microsoft Active Directory Password Synchronization connector must be installed on Windows Active Directory Domain Controller machine
    5. If AD domain controller is running on multiple machines (for high availability/resilience) then you must install password synchronization connector on each domain controller machine
    6. MS-AD Password Synchronization Connector configuration is stored in registry HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync
    7. For Active Directory related configuration : HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ ADConfig

    8. ADPersistentStore is OU in Active Directory that will store data for users whose password can’t be synced from AD to OIM for various reasons (OIM not available, user not available in OIM etc).
    9. Change value of Log from N to Y , if you wish to enable logging in password synchronization (by default logging is disabled)
    10. LogPath represents directory in which logs are enabled (to enable logging set value of field Log to Y )
    11. For OIM related configuration: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ OIMConfig
    12. OIMhost is hostname where OIM managed server is running (For High Availability use load balancer name here)
    13. OIMPort is port on OIM managed server  is running (For High Availability use port number on which load balancer is configured)
    14. To disable Password Synchronization connector, set value of Disabled to 1 (0 means password synchronization is enabled)
    15. To enable logging for OIM related events set value of parameter OIMLog to Y , You will see file [TIME_STAMP]OIMMain.log
    16. AD will communicate to OIM server via SPML Web Service (WS) SOAP request over HTTP(S) like http(s)://OIMHost:OIMPort/spmlws/OIMProvisioning for OIM on WebLogic Server(Make sure to deploy SPML-DSML application on OIM Managed Server and application is in ACTIVE state)
    17. In [TIME_STAMP]OIMMain.logyou should see calls likeDebug [2/20/2002 12:54:42 AM] The SOAP start element is 
      Debug [2/20/2002 12:54:42 AM] <processRequest xmlns=””><sOAPElement>
      Debug [2/20/2002 12:54:42 AM] The SOAP end element is 
      Debug [2/20/2002 12:54:42 AM] </sOAPElement></processRequest>
      Debug [2/20/2002 12:54:42 AM] The path is 
      Debug [2/20/2002 12:54:42 AM] /spmlws/OIMProvisioning
      Debug [2/20/2002 4:54:53 PM] <env:Envelope xmlns:soapenc=”http://schemas.xmlsoap.org/soap/encoding/” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”><env:Header/><env:Body env:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><m:processRequestResponse xmlns:m=”http://xmlns.oracle.com/OIM/provisioning”><setPasswordResponse xmlns=”urn:oasis:names:tc:SPML:2:0:password”</setPasswordResponse></m:processRequestResponse></env:Body></env:Envelope>
    18. For connector installer related configuration HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\ Control\ Lsa\ oimpwdsync\ Install


    More on Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know in Part II


    • For latest version of MS-AD password Sync and patch click here

    Share any tips/key point related to OIM’s Microsoft Active Directory Password  Synchronization by leaving comment

    Related Posts for Identity Manager

    1. Oracle Identity Manager (User Provisioning – Thor)
    2. Installing Oracle Identity Manager (Thor Xellerate)
    3. Oracle Identity Manager 9.1 released
    4. Oracle Identity Manager (Thor Xellerate) Architecture
    5. Resource, Reconciliation, Provisioning and Connector in Oracle Identity Manager #OIM
    6. Oracle Identity Manager (OIM) Connector for Oracle Internet Directory (OID) : Architecture and Overview
    7. Step by Step Installation of OIM Design Console 9.1.0
    8. Error while running PurgeCache in OIM 11g : LoginException unable to find LoginModule class : WebLogic Full Clinet
    9. Integrate OIM 11g with OID using connector for Provisioning / Reconcilliation – Installation
    10. PurgeCache in OIM 11g : CategoryName
    11. OIM LDAP Sync : Overview and Key Points
    12. OIM 11g : How to export/import/delete Files from MDS
    13. Where are OAM details stored in OIM (account unlock, password reset)
    14. libOVD adapters in OIM LDAP Integration : LDAPsync – view and modify Adapter settings (bindDN and bindPassword)
    15. Error Starting OIM Design Console (xlclient.sh) on Linux java.lang. NoClassDefFoundError
    16. OIM 11g Challenge Questions (PCQ) for forgot password
    17. Oracle EBS Integration with OIM (Identity Manager) : Things you should know
    18. Users not synced from OID to OIM : Debug Scheduled Job
    19. OIM Connector for Microsoft : AD, Exchange, Windows, Password Management
    20. Connector Server for OIM connectors : .NET or JAVA
    21. OIM 11g Challenge Questions – Everything you must know
    22. OIM 11g How to add Challenge Questions
    23. OIM : Assign AD resource : An error occurred because the Adapters are not compiled : How to compile adapters in OIM
    24. OIM User Creation : An Error occurred while performing create user operation. Unable to get LDAP connection
    25. OIM – AD integration : Active Directory Group Lookup Recon failed with error Remote Framework Key is invalid
    26. Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know : Part I
    27. Provision resource “Microsoft Exchange” to user in OIM : Status remains in Provisioning : Part I
    28. Target Resource (or Managed Resource) vs Trusted Source (or Authoritative Source) Mode : OIM integration with applications (AD, OID, OVD, EBS, SAP, HR, LDAP)
    29. 500 Internal server accessing OIM application : com.bea. security.MicroSM. getInstance oracle.iam. platform. authz.impl
    30. Your account is locked. You can unlock your account by going to Forgot Password
    31. OIM 11g : How to find User and Manager details : USR table
    32. OIM 11g : User Detail/Attribute (Description) not visible in OIM User screen : EBS / OID / OIM integration
    33. OIM 11g: The add proxy operation for user XXXXX failed with following error oracle. bpel. services. workflow. client. workflowservieclientException javax.xml.ws.WebServiceException could not determine wsdl ports
    34. Oracle Identity Manager BP07 for 11gR1 PS1 (16097399) is now available – (Part of Identity Management SUite BP03 16209876)
    35. OIM 11g : SQL to List User’s Manager
    36. OIM integrated with OAM (SSO) showing OIM login screen : User Soft Locked
    37. OIM 11g: Beware if you are applying WebLogic patch !
    38. Help Me : Microsoft Active Directory Password Sync version and latest patch for Oracle Identity Manager
    39. Upgrade OIM connector for Microsoft Exchange to Part I
    40. OIM Administrators : Is your OIM database Growing ? Do you purge enough ?
    41. EBS Integration with OIM : Employee Reconciliation : NumberFormatException: “BUSINESS_GROUP_ID”
    42. OIM EBS User Management : eBusiness UM Lookup Definition Reconciliation failed with Invalid Schedule Task Parameter

    26 Responses to “Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) Password Synchronization: Things you must know : Part I”

    1. Mann says:

      Can we achieve the same thing wihtout synch
      password synch connector?

      Like using OIM with OAM/ESSO/OID?


      • Atul Kumar says:

        Password change from AD to OIM can be achieved only via password sync connector.

        Other option for password sync could be AD -> OID -> OIM (where password sync from AD to OID using AD-OID integration and then from OID to OIM using LDAPSync) – This will be less preferred route .

        Password Sync is better way as this is immediate , why don’t you want to use password sync ?

    2. Mann says:

      Atul Thanks for your reply.
      It really helps as always 

      Actually our Active Directory team is not happy with internal architecture of ‘password synch connector’. During password change it put internal lock which is not considered good here.

      One last suggestion.
      I was thinking in below direction but do not have experience on any other product other than OIM.
      Like I integrate anyone componenet of eSSO with AD so that esSSO password and AD password get in synch. Then integrating OIM with eSSO.
      Process might be password from AD >> eSSO>>OIM.

      Kindly ignore my ignorance and suggest.
      Thanks Again!

    3. Don says:


      How about the other way around? OIM to AD sync. Our set up is as follows.

      Our college maintains an Oracle ID for every past, current of course future students, faculty, staff, etc.

      Our department is currently managing authentication to our department lab systems in AD. This involves importing users each session into AD and setting a temp passwords with a require password change first log in.

      This works great except the user accounts are based on the college’s eID. Meaning the samaccountname is the same as the name in the college’s ID management system.

      This actually causes a lot of confusion since everyone typically chooses two different passwords for the same user name.

      So I was wondering if it is possible to set up a one way password sync from the Oracle IDM to AD.

      Seeing as our department only has a small subset of the overall users this makes even more sense to me.

      This is how I am hoping it would work. I get registration data for our department. I import new users based on their eID, set a default password for each new user, set user account control not to require password change, never expire. Then behind the scenes the through the connector server on the DC each users password is updated with the password stored in OIM.

      That way users can authenticate to our lab systems using the same password they use for everything else throughout the college.

      I have seen many examples of syncing like you initially show but none so far the way I am hoping to get things to work.

      Is this possible?



      • Atul Kumar says:

        @ Don,
        From your comment it is not clear which product with in IDM stack do you use to sync data from Oracle to AD. There are two things I can think of OID & OIM and both support password sync from OID/OIM to AD .

        Tell me which Oracle Product you use for authentication (where username/password is store) so I can tell you how to sync password from that source to AD or vice versa.

    4. Don says:


      Sorry for the delayed response. I was waiting to hear back what product we are running from our service center. I though we had moved up to Oracle but we still are currently on Sun Identity manager 5.2 patch 4.


    5. praveen says:

      Can any one help me in installing AD PASSWORD Sync for 11gR2.

    6. praveen says:

      Thanks Atul its working fine…

    7. chinna says:

      What about part 2???

    8. pranav says:

      I’m looking for part 2 as well. Do you have a link for it? I can’t find it when i do a web search.


    9. anonymous says:

      What type of privileges/role should the OIM service account have to allow password change? Can it be part of the Administrators?

    10. […] Microsoft Windows, Microsoft Exchange, and Password Synchronization), I also posted about  Password Synchronization for Active Directory that must be installed on all Microsoft Active Directory Domain Controllers, and is used to sync […]

    11. Ravi says:


      Can you please suggest how to configure Password Sync connector on a clustered environment, we have more then 2 OIM servers configured. Can we configure OHS server for Password Sycn.

      Kindly suggest or provide any link to understand the configuration before implementing it.

    12. anonymous says:

      Could you please provide instructions to use SSL for password sync where OIM is in a clustered environment front ended by a LB?

    13. mathmut says:

      Hi Atul,

      We have an environment with OIM-AD pass sync installed on it and working fine. Users are allowed to change their passwords from both OIM and AD. But we sometimes get an error in OIM logs like “Error occurred while setting user password.” and when we check AD pass sync logs we saw that error is about password history. I have an opinion but not sure. When we change password from OIM we send it to AD by change user password task and when AD password is changed OIM-AD pass sync catches the process and sends new password back to OIM and this time OIM rejects the newly changed password with error “IAM-3030006:The following password policy rules were not met:Password must not be one of 4 previous passwords.”. Is there any solution to ignore this error which is actually not an error ?

    14. mathmut says:


      Thanks but users are allowed to change passwords from both OIM and AD. If we allow previous passwords from OIM then we cannot control password history if user changes password from OIM self service.

    15. Nirav says:

      Hi atul,

      I am using OIM 9i and am using custom built connector for AD and not the OOTB from oracle.But can i use the AD password sync connector provided by oracle along with my custom AD connector?

      As i saw a note by you that MIcrosoft AD connector is a pre-requisite for AD passwrd sync connctor.

      • Atul Kumar says:

        Nirav, I don’t see any problem with that as long as users are synced between AD and OiM. I am sending you message directly on your mail or contact me via contact us.

        Are you hitting any issue with password sync ?

    16. Nirav says:

      hi Atul,

      I have mailed u ..
      Yes user password is not getting synced.
      “Unable to sync OIM user password.Run configparameter.exe is the status when i view in the event logs.


    17. mathmut says:

      Hi Atul,

      oim ad password sync logs are enabled for our system. But it causes a problem about disk space. Is there a log appender config for this or do we have to disable logging?


    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP