Note: This edition applies to versions 10.0.x of IBM Security Verify Governance and
IBM Security Verify Governance Identity Manager.
Copyright IBM Corporation 2009, 2026
US Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Running
in Federal Information Processing
Configuring the adapter to run in FIPS mode
Operational differences running in FIPS mode
Installation and
Configuration Notes
Corrections to Installation Guide
Support for Customized Adapters
IBM Security Verify Governance Active Directory 64-bit (WinAD64) Adapter.
These Release Notes contain information for the following products that was not available when the adapter manuals were printed:
The Active Directory Adapter is designed to create and manage accounts on Microsoft Active Directory and mailboxes on Exchange and Lync (Skype for Business). The adapter runs in "agentless" mode and communicates using Microsoft ADSI API and PowerShell to the systems being managed.
IBM recommends the installation of this adapter in "agentless" mode on a 64-bit OS and computer in the domain being managed. Installation on a Domain Controller is not recommended. A single copy of the adapter can handle multiple Identity Manager Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity and/or Governance policies and processes. Please refer to the Identity or Governance Information Center for a discussion of these topics.
The IBM Verify adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Review and agree to the terms of the IBM Security Verify Governance License prior to using this product. The license can be viewed from the "license" folder included in the product package
The adapter package includes two
profiles:
o
This profile is supported Identity
and Governance. When used, if an AD
group name or DN is changed in AD, the reconciliation operation will result it
deleting the original group and adding the updating group as a new group.
Governance results: all users who had permission on the
original group will lose that permission and new permission will be added using
the new name
o
No additional configuration changes
are required on the adapter when the ADprofile.jar is used.
ADprofileGUID.jar
o
This profile is supported on
Identity and Governance. When used, if
an AD group name or DN is changed in AD, the reconciliation operation will only
change the name and/or DN of the group.
Governance results: all users who had permission on the
original group will retain that permission but with new name and/or DN
o
When using ADprofileGUID.jar, you
must configure the adapter to use GUID as the group naming attribute using
agentCfg.exe on the adapter server
Invoke agentCfg.exe -a adagent
- Use option (F) Registry Settings
- Use option (A) Modify Non-encrypted registry settings
- Use option (B) Modify attribute value
- Registry item to modify is: useGroup
- New registry item value is: GUID
- Use option (X) Done three times to exit out
- Restart the adapter service for the change to take effect.
The ability to manage service groups is a feature introduced prior to IBM Security Identity Manager 6.0. By service groups, ISIM is referring to any logical entity that can group accounts together on the managed resource.
Managing service groups implies the following:
Create service groups on the managed resource.
Modify attributes of a service group (group name change is not supported)
Delete a service group.
The Windows Active Directory x64 adapter supports service groups
management on Identy Manager only.
|
Component |
Version |
|
Build Date |
2026 March 27 02.01.33 |
|
Adapter Version |
10.0.19 |
|
Component Versions |
Adapter Build: 10.0.19 Profile 10.0.19 ADK 8.0.11
|
|
Documentation |
Check the IBM Knowledge Centre for the following guide(s): IBM Verify Active Directory Adapter with 64-Bit Support Installation and Configuration Guide |
|
Internal # |
Enhancement # (RFE / IDEA) |
Description |
|
|
|
Items included in current release (10.0.19) |
|
SVGAD-6085 |
ADAPT-244 / ADAPT-243 |
Enable AD Adapter to convert Remote Mailbox to Shared Mailbox via Provisioning Policy / Active Directory Agent/ Adapter should be able to manage shared type mailboxes |
|
|
|
Items included in release (10.0.18) |
|
SVGAD-5340 |
ADAPT-238 |
Support Microsoft Exchange Server Subscription Edition (SE) |
|
|
|
Items included in release (10.0.17) |
|
None |
None |
None |
|
|
|
Items included in release (10.0.16) |
|
SVGAD-4320 |
ADAPT-192 |
Certified Adapter for Windows Server 2025 |
|
SVGAD-3130 |
ADAPT-172 |
Update Install Anywhere with latest IBM Sumeru JRE (version 1.8 Update 432) |
|
|
|
Items included in release (10.0.15) |
|
Internal |
|
Updated to ADK 8.0.8 to with openSSL 3.1.7 |
|
|
|
Items included in release (10.0.14) |
|
internal |
|
Upgraded to ADK 8.0.7 with openSL 3.1.6 |
|
|
|
Items included in release (10.0.13) |
|
internal |
|
Upgraded to ADK 8.0.6 with openSL 3.1.4 |
|
|
|
Items included in release (10.0.11) |
|
internal |
|
Upgraded to ADK 8.0.5 with openSL 3.1.4 |
|
|
|
Items included in release (10.0.9) |
|
internal |
|
Added Support for Exchange remote session |
|
|
ADAPT-I-134
|
Support Exchange Archive Mailbox |
|
|
|
Items included in release (10.0.8) |
|
internal |
|
Upgraded to ADK 8.0.2 with OpenSSL 3.1 |
|
|
ADAPT-I-206
|
Support Basic Authentication in AD adapter with support for Exchange |
|
|
ADAPT-I-204
|
AD agent to exchange remote powershell in SSL mode |
|
|
|
Items included in release (10.0.4) |
|
RFE 63875 |
|
Specify display name when enabling mailboxes..
Added registry setting to enable or disable this new feature |
|
|
|
Items included in release (10.0.3) |
|
RFE 64093 |
|
Support for setting WorkingHoursStartTime
using the ISIM6 WinAD64 Adapter |
|
RFE 64626 |
|
IGI AD Adapter GUID Profile Latency. Add cache GUID/DN lookup |
|
RFE 63875 |
|
Specify display name when enabling mailboxes. |
|
|
|
Items included in release (10.0.2) |
|
Internal |
|
Upgraded to ADK 7.0.9 with openSSL
1.1.1k |
|
RFE 145716 (63010) |
|
AD Cross Domain Group Member Support for Universal Groups (FPL) |
|
|
|
Items included in release (10.0.1) |
|
Internal |
|
Rebranded for IBM Security Verify |
|
|
|
Items included in release (7.1.34) |
|
RFE TS001318020 (55491) |
|
IGI Active Directory Adapter - EmployeeNumber
not supported |
|
RFE TS001619165 (58739) |
|
AD Adapter does not change Country to AD Country Code |
|
RFE TS002747046 (59959) |
|
Management of the attribute 'msExchAddressBookPolicyLink'
by ISIM Windows AD Adapter |
|
Internal |
|
Updated to ADK 7.0.8 with openSSL
1.1.1d. Added support for min tls level |
|
|
|
Items included in release (7.1.33) |
|
RFE 127449 (56512) |
|
Supporting eradeallowedaddresslist in
hybrid environment (Adapter) |
|
RFE 128222 (56765) |
|
ISIM and O365 email usage in hybrid environment |
|
|
|
Items included in release (7.1.32) |
|
RFE 130064 (57543) |
|
'businessCategory' attribute in Security Identity Adapter for Windows AD not handled as multi-valued.
|
|
181168 |
|
Attribute values lookup support.
|
|
183288 |
|
Support for Windows 2019 server. Both as a managed service and adapter platform. Support for Exchange 2019 and Skype for Business 2019.
|
|
PSIRT |
|
Upgraded to ADK 7.0.6 with OpenSSL 1.0.2r
|
|
|
|
Items included in release (7.1.31) |
|
|
|
None |
|
|
|
Items included in 7.1.30 release |
|
177537 |
|
As a developer of the Windows AD adapter, I need to use a newer OpenSSL version that addresses PSIRT advisories. OpenSSL is upgraded from version 1.0.2n to 1.0.2p |
|
178202 |
|
Implementation for supporting recon for: - msDS-LastSuccessfulInteractiveLogonTime,
Note: On IGI Date attributes are not displayed correctly.
|
|
|
|
Items included in 7.1.29 release |
|
154239 |
|
US - As a Windows AD adapter developer, I need to update my adapter to use the newer OpenSSL |
|
|
|
Items included in 7.1.28 release |
|
|
|
None |
|
|
|
Items included in 7.1.27 release |
|
50831 50763 |
|
Windows AD adapter to support mailbox attribute msExchRecipientTypeDetails and msExchRemoteRecipientType in integer8 format
|
|
50988 |
|
Add businessCategory as a regular adapter attribute
|
|
43334 |
|
Enhance AD Adapter to detect user's email status for remote mailbox (O365) and manage proxy address and other exchange attrib
|
|
internal |
|
Added support for remote mailbox to support Office 365 mailboxes in a hybrid Exchange environment
|
|
internal |
|
Modified installer to default to SSL enabled
|
|
|
|
Items included in 7.1.26 release |
|
44871 |
|
Added support for lync Mobility and Persistent Chat policies
|
|
internal |
|
Now supports FIPS compliant mode
|
|
|
|
Items included in 7.1.25 release |
|
internal |
|
This release includes ADK 7.0.3 which update openssl to 1.0.2f to address a vulnerability to excessive CPU utilization
|
|
|
|
Items included in 7.1.24 release |
|
internal |
|
This release officially supports Windows 2016 server. Both as a managed resource and an installation platform
|
|
|
|
Items included in 7.1.23 release |
|
internal |
|
Now using ADK 7.0.1 with updated openSSL, ICU and SQLite all built on Visual Studio 2012. Adapter is now built on Visual Studio 2012 using .NET 4.5. It no longer requires .NET 3.5 to be installed.
|
|
|
|
Items included in 7.0.20 release |
|
42641 |
|
Adapter Support for Exchange 2016 and Lync 2015
|
|
42071 |
|
Second and following Mailbox Move Requests Fail on Exchange 2013
|
|
43225 |
|
Reduce IO in WinAD Adapter for PW change
|
|
|
|
Items included in 7.0.18 release |
|
38935 |
|
Support "Manager can update membership list" attribute for AD Group
|
|
38934 |
|
Support display name attribute for AD Groups
|
|
39511 |
|
WinAD Adapter does not reconcile Lync Registry Pools from AD
|
|
40129 |
|
ISIM AD Adapter Customization for Group Object class |
|
internal |
|
Updated resource.def in profile to support external roles
|
|
|
|
Items included in initial release (7.0.16) |
|
30303 |
|
ISIM AD adapter unable to set Mail box Retention policy check |
|
internal |
|
Now using ADK 6.0.1027 which provides an option disabling sslv3. There is also support for setting the list of ciphers used. |
|
internal |
|
The Domain Admin and Domain Password fields have been removed from the service form in the profile. They can still be used, but the preferred method is to set the logon account on the adapter windows service. |
|
|
|
Items included in 6.0.15 release |
|
34001 |
|
Added support for Exchange Automatic Mailbox Distribution. Supplying only eradealias without a mail store or external email address allows Exchange to determine the mail store to use based on load balancing. |
|
31924 |
|
Prevent deletion of user accounts that have a mailbox that is under litigation hold |
|
32482 |
|
Add support for msExchCoManagedByLink to group schema |
|
29995 |
|
Add support for msExchRequireAuthToSendTo to group schema |
|
|
|
Updated logging to include output from Lync and Exchange modules |
|
|
|
Items included in 6.0.14 release |
|
|
|
The Password Synchronization plug-in is now released as a separate package. It is no longer bundled in with the AD Adapter |
|
|
|
Includes updated ADK 6.0.1020 which includes update to prevent password values from being written to the log on password change failures |
|
|
|
Items included in 6.0.13 release |
|
|
|
Includes updated ADK 6.0.1019 which includes version 1.0.1h-fips of openSSL. |
|
Internal# |
Known Issue# |
Description |
|
|
|
Items closed in current release (10.0.19) |
|
Bug 4580 / SVGAD-5415 |
TS019606953 / DT464501 |
AD agent consumes too much resources |
|
Bug 4474 / SVGAD-3586 |
TS017963143, TS018952535 |
Microsoft Message Queuing RCE (CVE-2023-21554,queue jumper) |
|
Bug 4531 / SVGAD-4327 |
TS019108217 / DT452564 |
Issue with AD Reconcile job |
|
Bug 4571 / SVGAD-4847 |
TS019737224 |
Support for Universal Group |
|
|
|
Items closed in release (10.0.18) |
|
Bug 4518 / SVGAD-5017 |
TS018600034 / DT455247 |
Group creation uses Basic authentication instead of Kerberos even when “Basic Auth�? is set to False in the ISIM service form |
|
|
|
Items closed in release (10.0.17) |
|
Bug 4483 / SVGAD-3641 |
TS018342698 / DT433149 |
Unable to set Remote Archive Domain on AD Account |
|
|
|
Items closed in release (10.0.16) |
|
BUGZ 4398 / SVGAD-3027 |
TS016819396 / DT424056 |
Active Directory Agents consume too much RAM and do no respond, require restart. |
|
BUGZ 4310 / SVGAD-2642 |
TS015479980 / DT397078 |
Identity Manager AD Agent Crash / Windows AD adapter memory leak in event notification & Updated ADK to 8.0.9 to fix this Bug:
See Chapter 6 - Troubleshooting in Installation and Configuration Notes
|
|
BUGZ 4476 / SVGAD-3582 |
|
Adapter doesn't support "OWAforDevicesEnabled" attribute for Exchange mailbox |
|
|
|
Items closed in release (10.0.15) |
|
Bug 4431 SVGAD-3229
TS016633497 |
DT420321 |
Unable to Load Exchange Powershell in filter recon While using preferred Exchange server. |
|
BUGZ 4381 SVGAD-2714 TS016962874 |
|
Missing version details in Windows AD Adapter |
|
BUGZ 4413 SVGAD-3070 TS017140708 |
|
AD Adapter v10.0.14- SSL configuration issue |
|
|
|
Items closed in release (10.0.14) |
|
TS015907182 |
Creation of remote mailbox with
primary smtp address in list of proxy address on add request |
|
|
|
|
Items closed in release (10.0.13) |
|
TS015311731 |
AD Attribute erADEHideFromAddrsBk is
not returned during recon for remote mailboxes; |
|
|
internal |
AD Attribute eradealllowaddresslist changed from DNString to DNValue |
|
|
|
|
Items closed in release (10.0.12) |
|
TS013336011 |
Some AD account don't have their Exchange attributes mail, proxyAddresses and targetAddress set |
|
|
|
|
Items closed in release (10.0.11) |
|
internal |
Test Connection in ISV SaaS fails because of eradeusebasicauth field added in 10.0.9 |
|
|
TS014310910 |
outdated country codes |
|
|
|
|
Items closed in release (10.0.10) |
|
BUGZ 4053 |
How to manage cloud migrated AD account with AD Agent |
|
|
BUGZ 4165 |
Unable to set Exchange Quota warning - AD adapter |
|
|
BUGZ 4142 |
Change Log Sync finish failed AD with error Error code: 0x80072030 |
|
|
|
|
Items closed in release 10.0.9 |
|
BUGZ 4090 |
Windows AD 10.0.8 ADprofile.jar file has syntax issue |
|
|
BUGZ 4091 |
IBM Security Verify Governance Adapter for Windows AD broken SSL |
|
|
|
|
Items closed in release 10.0.8 |
|
internal |
erADEAllowedAddressList occurs
twice in targetProfile.json and is missing DNString flag |
|
|
|
|
Items closed in release 10.0.7 |
|
TS010327429 |
error in AD recon for some users |
|
|
|
|
Items closed in release 10.0.6 |
|
TS007544376 |
User member of group that has been deleted kills recon |
|
|
|
Full recon on AD adapter does not contain eradgrpcontainerrnd
data |
|
|
TS008973416 |
Active Directory adapter has issues with Group Reconciliation |
|
|
|
|
Items closed in release 10.0.5 |
|
IJ37565 |
Displayname getting
set to -1 when creating mailbox |
|
|
TS006823945 |
TS006823945 How can we manage erADEAllowedAddressList
attribute managing by rule. Missing
from targetProfile.json |
|
|
|
|
Items closed in release 10.0.4 |
|
TS006884318 |
The Windows AD adapter profiles newer than 7.1.35 version are missing erADEmployeeNumber
in targetProfile.json file |
|
|
|
|
Items closed in release 10.0.3 |
|
IJ33198 |
WinAD adapter
Enable-DistributionGroup fails |
|
|
IJ34539 IJ34168 |
Setting the eradexpirationdate in IGI
to null sends a default date to active directory which is in the past and
expires the account |
|
|
|
|
Items closed in release 10.0.2 |
|
IJ31965 |
AD Agent Silent Installation Not Working |
|
|
|
|
Items closed in release 10.0.1) |
|
IJ28787 |
WinAD Adapter
crashes during reconciliation |
|
|
|
|
Items closed in release 7.1.38) |
|
TS004078164 |
|
Recon/search failure with AD adapter and some AD group lookup |
|
TS003784368 |
|
WinAd adapter
profile ADprofileGUID.jar does not send GUID on group add |
|
|
|
Items closed in release 7.1.37) |
|
TS003631283 |
IJ24481 |
Windows AD - unable to remove erADLyncLineURI attribute from Lync/Skype server
|
|
|
|
Items closed in release 7.1.36) |
|
Internal |
Fixed targetProfile.json which had been reverted to the old format by mistake
|
|
|
TS003631283 |
IJ24481 |
Windows AD - unable to remove erADLyncLineURI attribute from Lync/Skype server
|
|
TS003197913 |
Adding an Activedirectory account results in SERVICE_CONTROL_INTERROGATE command (long DNs in container names)
|
|
|
TS003611746 |
IJ24480 |
Windows AD - recon not picking up erADLyncDialpPolicy (DialPlan) attribute for Lync/Skype
|
|
|
IJ24489 |
Group basepoint - Unable to bind to group basepoint
|
|
|
|
Items closed in release (7.1.35) |
|
Inernal |
Null pointer when mailbox store is empty value
on add request |
|
|
TS003353720 |
Active Directory Adapter performance (1.5
second delay per request) |
|
|
APAR IJ23159
|
A random server is chosen for group modify if no server is specified in the group base point |
|
|
|
|
Items closed in release (7.1.34) |
|
TS002713742 |
duplicate erADEmailboxGUID
entries returned resulting in warnings |
|
|
TS002782868 |
Issue with updating proxyaddresses
inExchange/Active directory |
|
|
APAR IJ17835Â |
WINAD ADAPTER ERROR WHEN SETTING "ACCEPT
MAIL FROM" AND THE ACCOUNT HAS A REMOTE MAILBOX |
|
|
|
|
Items closed in release (7.1.33) |
|
TS002562024 |
eradexdialin and erADEShowInAddrBook not working correctly
due to errors in targetprofile.json |
|
|
Internal |
erUID incorrectly marked as immutable preventing renaming user. |
|
|
Internal |
erADERstrctAdrsLs, erADEAllowedAddressList, erADEDelegates incorrectly marked as not supported for
remote mailboxes erADETargetAddress incorrectly
marked as supported for remote mailboxes. |
|
|
|
|
Items closed in release (7.1.32) |
|
183289 |
IJ12159 |
erADEHideFromAddrsBk not returned. Behaving as designed, the value is not present when set to false through the ADSI api.
|
|
183292 |
|
"businessCategory" on containers now supported as multi-valued.
|
|
|
|
Items closed in release (7.1.31) |
|
Internal |
|
RTC 181198: Internal - As a WinAD adapter, i must ensure that the profile jars in 7.x package are correct |
|
|
|
Items closed in 7.1.30 release |
|
TS001030655 |
|
US - As a WinAD adapter developer I must ensure that the correct version numbers are set for the 6.x and 7.x adapter builds.
|
|
|
|
Items closed in 7.1.29 release |
|
|
|
None |
|
|
|
Items closed in 7.1.28 release |
|
TS000028936 |
|
Added support for providing primary SMTP address when mailbox is created. This avoids, the default SMTP address from becoming a secondary SMTP address when the primary SMTP address is set after the mailbox is created.
|
|
|
|
Items closed in 7.1.27 release |
|
01351,SGC,740 |
|
Error 0x00000037 and 0x80004005 trying to set eradnochangepassword |
|
|
IV98275 |
WRONG SYNTAX FOR ERADPREFERREDEXCHANGESERVERS AND ERADPREFERREDLYNCSERVERS IN TARGETPROFILE.JSON
|
|
|
IV97886 IV98275 |
ADprofile.jar file from 7.1.26 package won't import on IGI 5.2.3 |
|
|
|
Items closed in 7.1.26 release |
|
|
IV96432
|
IN HYBRID EXCHG & O365, CREATING MAIL USER GETS REMOTE ONE BUT UPON MODIFY EXCHG ATTR - GETS LOCAL MAILBOX |
|
|
|
Items closed in 7.1.25 release |
|
|
IV85621 |
WINAD ADAPTER: PASS PREFERRED LYNC SERVERS TO LYNC MODULE |
|
|
|
Items closed in 7.0.21 release |
|
|
IV84875 reoponed |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
|
|
|
Items closed in 7.0.20 release |
|
|
IV84875 |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
|
75802,227,000 |
|
Issue with erADGrpWriteMembers attribute value on reconcile returning both true and false.
|
|
04723,001,862 |
|
WinAD Adapter Release Notes Wrong+Missing Information
|
|
|
|
Items closed in 7.0.19 release |
|
|
IV82951 |
SETTING NTFS HOME DIRECTORY PERMISSIONS FAILS AFTER UPGRADE TO WINAD64 6.0.18 |
|
|
|
Items closed in 7.0.18 release |
|
52479,004,000 |
|
ITIM adapter deleting the $IPC share accidentally
|
|
|
IV79632 |
ACTIVE DIRECTORY USERS WITH COUNTRY CODE 428 ARE CREATED WITH COUNTRY LATIVA INSTEAD OF LATVIA. |
|
|
IV79641 |
AD ADAPTER INTERMITTENTLY CRASHES DURING RECONCILIATION |
|
|
IV81775 |
INVALID PARAMETER GENERATED FOR EXCHANGE 2013 PROVISIONING (-ManagedFolderMailboxPolicyAllowed) |
|
|
|
Items closed in 7.0.17 release |
|
|
IV78917 |
ISSUES WHILE ENABLING LYNC FOR IDS WHICH HAVE
SPECIAL |
|
|
IV78758 |
WINAD ADAPTER CRASHING WHILE CALLING GETLYNCUSER DURING RECONCILE |
|
|
IV78492 |
AD ADAPTER CRASH IF PROXY ADDRESS IS NOT VALID. |
|
|
IV78286 |
IADSTSUSEREX INTERFACE NOT WORKING TO RETRIEVE WTS ATTRIBUTES |
|
|
|
Items closed in initial release (7.0.16) |
|
|
IV73908 |
Event Notification no more working if USN-Changed attribute exceeds 7 digits |
|
|
|
Items closed in 6.0.15 release |
|
92067,69G,760 |
|
Test connection fails. Test connection now only reports warning if the Domain/Forest functional level cannot be determined |
|
06429,707,707 |
|
Change the default behavior for eradgroup to be add/delete rather than replace |
|
|
|
LyncDisableSearch registry setting in wrong location after install |
|
|
|
Items closed in 6.0.14 release |
|
13541,035,724 |
|
WTS attributes and recon error 1317 |
|
|
IV65653 |
WinAD adapter reports success in case of AD group interface problems during reconciliation |
|
|
IV67715 |
eradlynctelephony and eradlynclineurl fail on modify to Lync |
|
38947,031,724 CVE-2014-8923 |
|
WinAD adapter logs password in clear text on password change failures. This addresses IBM Security Bulletin CVE-2014-8923.
|
|
|
|
Items closed in 6.0.13 release |
|
|
IV61397 |
Thread logging option not showing in WinAD adapter agentcfg program |
|
|
IV62916 |
WinAD adapter recon fails when AD cannot provide information about an attribute's schema |
|
|
IV63714 |
WinAD adapter crash if eradlynctelephony is NULL |
|
CMVC# |
APAR# |
PMR# / Description |
|
N/A |
N/A |
Support for Exchange and Lync is provided using remote powershell connections to the Exchange or Lync server. There is a fixed limit of 5 concurrent connections to a remote powershell. Setting the thread count to higher than the default of 3 could result in some Exchange or Lync attributes failing to be set under heavy loads.
|
|
N/A |
N/A |
Support for erADEAllowedAddressList and erADERstrctAdrsLs is no longer available for Exchange 2007.
|
|
N/A |
N/A |
Service form fields:
See Corrections to Installation Guide", The
settings for Exchange
Mailbox security for Read and Full access were using different values for
settings in an attempt to have the default values on
the form match those of Exchange. This was confusing and causing issues
when the default settings on the Exchange server were changed from what the
adapter expected. The adapter now uses the same values for all Exchange
security settings.
Chapter 4. Adapter installation" section below.
|
|
N/A |
N/A |
Class 3 Certificates Class 3 secure server CA-G2 certs are not written properly to "DamlCACerts.pem" file through CertTool.exe Utility. The certificate data is written twice between BEGIN CERTIFICATE and END CERTIFICATE.
Work around: To correct this issue, please follow the below steps and edit "DamlCACerts.pem" file present in <Adapter installation path>\data" folder.
Step 1. Start the CertTool utility
Step 2. Import the class 3 CA certificate by using "F" option from the main menu of CertTool Utility.
Step 3. Once the class 3 CA certificate is successfully installed, open "DamlCACerts.pem" file stored in the <Adapter installed path>\data" folder using text editor.
Step 4. Delete the class 3 CA certificate data (i.e. content between BEGIN CERTIFICATE and END CERTIFICATE) from "DamlCACerts.pem"
Step 5. Open class 3 CA certificate file using text editor and copy the certificate data (between the BEGIN CERTIFICATE and END CERTIFICATE)
Step 6. Paste the certificate data to "DamlCACerts.pem" file between the BEGIN CERTIFICATE and END CERTIFICATE lines of same class 3 CA Certificate. If more than one class 3 certificates are installed then you can identify the certificate using issuer and subject data.
Step 7. Save "DamlCACerts.pem" file.
Step 8. To verify the "DamlCACerts.pem" file is edited properly, display certificate information by using option "E" from the main menu of CertTool Utility.
Please note that this issue is seen after installing class 3 CA certificate. If you correct the DamlCACerts.pem and then install another class 3 CA certificate, the newly installed class 3 CA certificate will show same issue.
This issue is also seen when you delete any certificate using option "G" from the main menu of CertTool utility. The delete option will affect all remaining class 3 CA certificate and you have to follow step 1 to 8 to correct the DamlCACerts.pem file.
|
See the IBM Security Windows Active Directory Adapter Installation
and Configuration Guide for detailed instructions.
The previous installation was installed with newer
version of InstallAnywhere
You may see this error while running the installer. It is only a warning and can be safely ignored.
The following corrections to the Installation Guide apply to this release:
Chapter 1:
Overview
No updates
for the current release
Chapter 2:
Planning
Prerequisite:
The Windows Active Directory Adapter service runs under a service account. This service account must be a member of the Domain Administrators group.
Chapter 3:
Installing
Section: "Service/Target form details":
Force Password Change
The
"Force Password Change" check box is documented incorrectly in
section "Specifying controls for a user account" of the User Guide.
It
should be as follow: "If you select the Force Password Change check box,
then the adapter sets the value of the pwdLastSet
attribute to 0. If you do not select the Force Password Change check box, then
the adapter sets the value of the pwdLastSet
attribute to -1"
Append owner name to mailbox dn
The
"Append owner name to mailbox dn" specify true of false value and if it is true then during Recon the adapter will fetch mailbox entries with their owning server and if specify false then in recon it will fetch only the MailboxDB.
Chapter 4:
Upgrading
No updates
for the current release
Chapter 5:
Configuring
No updates
for the current release
Chapter 6:
Troubleshooting
| Adapter Attribute | Active Directory Attribute | Description | Syntax |
|---|---|---|---|
| erADOwnerExchangeMailbox | The
"erADOwnerExchangeMailbox" specify true of false value and if it is true then during Recon the adapter will fetch mailbox entries with their owning server and if specify false then in recon it will fetch only the MailboxDB. |
Boolean |
The following configuration notes apply to this release:
Managed
Folder Mailbox Policy
Managed folder policies and retention policies are now treated as separate items. The type of policy is determined by the location in the Active Directory LDAP.
The
following corrections to the User Guide apply to this release:
Chapter 1:
Overview
Please add these sections in this Chapter:
Version 10.0.9 adds support for Exchange remote session timeout.
In order to execute Exchange powershell commands, the adapter establishes a remote powershell session with an Exchange server. This can take over a minute. Due to the overhead to establish a new connection, the adapter maintains the connection and uses it in subsequent requests. There is an idle timeout and if the connection is idle past that timeout, the connection is closed. However, if there are enough requests to keep the connection open without an idle timeout long enough, the credential is invalidated and powershell commands fail to execute with an Access is denied error. To avoid this, the adapter now supports a session timeout. If the connection is open past that timeout, it is closed and a new session is created. The default value is 1 hour. A new registry setting can be used to customize this timeout:
ExchSessionTimeoutMS- timeout value is milliseconds.
Version 10.0.9 adds support for Exchange Archive Mailbox. The following attributes have been added to the schema to support this:
erADEArchiveAddress
erADEArchiveDatabase
erADEArchiveName
erADEArchiveQuota
erADEArchiveWarnQuota
An Archive mailbox can be on premises or remote. For on premises archive you supply erADEArchiveDatabase with the DN of the database in which to create the archive. For remote archive, you supply erADEArchiveAddress with the domain name of your Office 365 instance in a hybrid configuration using AzureADSync. The values erADEArchiveDatabase and erADEArchiveAddress are mutually exclusive and supplying both values in a request will result in an error.
For on premises archives, if erADEArchiveDatabase is supplied and an archive already exists, the adapter will issue a move request if the value is different from the current value.
specifying erADEArchiveDatabase or erADEArchiveAddress with a delete operation will delete the archive if one exists.
A new registry setting was added to configure ssl for the remote exchange session:
ExchUseSSL - Set to TRUE to use https. If this value is not set, the default is FALSE. If Basic Authentication is enabled, it will default to TRUE.
New attributes were added to the service form to configure Basic Authentication with Exchange servers.
erADEUseBasicAuth - Set to TRUE to use Basic Authentication (otherwise Kerberos is used)
erADEUserName - Username to use with Basic Authentication with Exchange server.
erADEPassword - Password to use with Basic Authentication with Exchange server.
If erADEUseBasicAuth is TRUE, erADEUserName and erADEPassword are required.
If ExchUseSSL is TRUE, you must install the CA certificate for the Exchange server(s) in the trust store for the user under which the adapter runs.
When using the default Kerberos authentication, the data is encrypted already and SSL is not necessary, but can be enabled as second level of encryption.
A new specific adapter setting called MailCreateAddDisplayName
is used to enable this feature. By default it is set to FALSE.
Set to TRUE to enable this feature.
To implement this RFE, support for a new Exchange powershell
call was required. The RFE was for
Working Hours Start Time, but the api also supports
the end time, time zone and work days. Support was added for all four values.
The attributes are:
erADECalStartTime - This is a local time value in the form of hh:mm:ss
erADECalEndTime - This is a local time value in the form of hh:mm:ss
erADECalTimeZone - This is the name of the time zone.
erADECalWorkDays - This is a comma separated list of days or one of the
following: None, AllDays, WeekDays,
or WeekEndDays
They are all String syntax. For more details see
https://docs.microsoft.com/en-us/powershell/module/exchange/set-mailboxcalendarconfiguration?view=exchange-ps
Important: These values are not stored as ldap
attributes on the account object. In order to retrieve these values during a recon requires a
remote powershell call for each user that has an Exchange mailbox. This can severely impact performance during a
large recon. A registry setting ( ReconCalendarTimes ) was added
that must be set to TRUE for these attributes to be included in the recon
results.
The
adapter now supports remote mailboxes. This allows supporting Office 365
mailboxes in a hybrid Exchange environment. A new attribute (erADEremoteAddress) has been added to the user object to
support this feature. There are now 4 ways to create a mailbox with the
adapter:
To
delete a mailbox, simply delete the value for the mail store or mail address.
The
remote address and target address values use the same user attribute to store
their value. The msExchRecipientType value
indicates whether the mailbox is remote or not. Currently remote
addresses appear in the target address field. You will need to run a full
reconciliation after installing this update to populate the remote addresses.
Chapter 2:
User account management
No updates
for the current release
Chapter 3:
Group management
No updates
for the current release
Chapter 4:
Troubleshooting
No updates
for the current release
Chapter 5:
Reference Under Section: "Adapter Attributes" Active Directory account form attributes
Attribute on IBM Security Identity Manager
Attribute on the Active Directory
erADEArchiveAddress
msExchArchiveAddress
erADEArchiveDatabase
msExchArchiveDatabaseLink
erADEArchiveName
msExchArchiveName
erADEArchiveQuota
msExchArchiveQuota
erADEArchiveWarnQuota
msExchArchiveWarnQuota
The integration to the IBM Security Identity Manager server the adapter framework is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
The IBM Security Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
Windows 10
Windows 11
Windows Server 2019
Windows Server 2022
Windows Server 2025
Managed Resource:
Active Directory on Windows Server 2019
Active Directory on Windows Server 2022
Active Directory on Windows Server 2025
With optional:
Exchange Server 2019
Skype For Business Server 2019
Exchange Server Subscription Edition (SE)
Clients:
IBM Verify Identity Governance v11.0
IBM Security Verify Governance Identity Manager v10.0 *
IBM Security Verify Governance v10.0.2
* Unless
this document specifies a specific fix pack version of ISVG Identity Manager
v10, we expect the adapter to work with ISIM 6 as well. However, it will only
be debugged and fixed from the perspective of ISVG-IM v10.
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between
independently created programs and other programs (including this one) and (ii)
the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms
and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot
confirm the accuracy of performance, compatibility or any other claims related
to non-IBM products. Questions on the capabilities of non-IBM products should
be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes