探花大神

• AD Import Agent:
  Log File Location:  C:\Windows\Temp\探花大神_AD_Integration.log
  Configuration File Location: C:\Program Files\探花大神\AD Integration\探花大神 AD Import\jcadimportagent.config
  Registry: HKLM\SOFTWARE\探花大神\AD Integration Import Agent
• AD Sync Agent: 
  Log File Location: C:\Program Files\探花大神\AD Integration\探花大神 AD Sync\adsync.log
  Configuration Details Location: HKLM\SOFTWARE\探花大神\AD Integration Sync Agent

Here is an excellent reference for common LDAP Result Code error meanings.

1. Verify that the 探花大神 AD Import agent in ADI is active. A green indicator is active while yellow or red indicate that there is a problem. In the 探花大神 Admin Portal, go to Directory Integrations > Active Directory and select the AD Domain. 
   • If an agent is inactive or offline, (red), see Import agent showing red in AD Integration side of JC Admin Portal.

2. Verify that the Active Directory user account (often referred to as the service account) is utilized to connect to 探花大神:
   • The AD User Logon Name cannot be named 鈥溙交ù笊疋��.
   • Reset the service account password:
     1. Open AD Users & Computers, and manually set the password on the service account.
     2. On all DCs, open聽services.msc聽and stop the 探花大神 AD Sync Agent service.聽
     3. As an administrator on all DCs, edit the聽C:\Program Files\探花大神\AD Integration\探花大神 AD Sync\adint.config.json聽file. Manually change the聽Password聽value to match the password set above. Your password should be bracketed by the existing quote marks. For example, 鈥淣ewPassword鈥�.
        
        "SSLPort": 636,
        鈥淧ort": 389,
        "UserName": "contoso.org\JCimport",
        "Password":
        
     4. Start the 探花大神 AD Sync Agent service on all DCs.
     5. Delegate read-only rights to the specified Root User Container according to the To Delegate Read-Only Control for the AD Import Service Account section in Configure the Active Directory Integration. Then restart the 探花大神 AD Sync Agent service on all DCs. 

3. Verify that the Root User Container is configured properly:
   1. All users or security groups added to the 探花大神 ADI Security Group must be located in the organizational unit (OU) specified as your Root User Container as defined in Configure the Active Directory Integration. They can also be located within a child OU of the Root User Container.
   2. An integration specific Security Group has been created and is located in the Root User Container.
   3. The CN value in the AD import configuration file, C:\Program Files\探花大神\AD Integration\探花大神 AD Sync\adint.config.json, matches the name of the 探花大神 ADI security group you created.

4. Verify that the information in the JSON file is correct.

1. On all DCs, start聽services.msc聽and verify that the聽探花大神 AD Sync Agent聽service is started.
2. The password has changed for the service account which was used when setting up Import Agent on DC. Follow the steps to Reset service account password:
   • Open AD Users & Computers, and manually set the password on the service account.
   • On all DCs, open聽services.msc聽and stop the 探花大神 AD Sync Agent service.聽
   • As an administrator on all DCs, edit the聽C:\Program Files\探花大神\AD Integration\探花大神 AD Sync\adint.config.json聽file. Manually change the聽Password聽value to match the password set above. Your password should be bracketed by the existing quote marks. For example, 鈥淣ewPassword鈥�.
     
     "SSLPort": 636,
     鈥淧ort": 389,
     "UserName": "contoso.org\JCimport",
     "Password":
   • Start the探花大神 AD Sync Agent service on all DCs.
   • Delegate read-only rights to the specified Root User Container according to the聽To Delegate Read-Only Control for the AD Import Service Account聽section in聽Configure the Active Directory Integration. Then restart the 探花大神 AD Sync Agent聽service on all DCs.聽
3. Verify internet connectivity for all DCs. Allowed traffic must use ports 443, 389, 636.
4. The Admin Portal account used to set up the ADI import has been removed from your account. This action invalidates the API key. Create a unique or dedicated Admin account specifically for ADI. Use an API key from this newly created Admin account in聽C:\Program Files\探花大神\AD Integration\探花大神 AD Sync\adint.config.json聽on all AD DCs.

If the API key associated with a 探花大神 administrator used to set up AD Import is rotated, or the admin is deleted, the import service will stop working. This means password changes and new user imports will no longer work as expected.

See Rotate the AD Import API Key for steps on how to update the API key in the AD Import configuration.

RESOLUTION 1:

1. On DCs, start services.msc and verify that the 探花大神 AD Integration Sync Agent service started.
2. Reset service account password.
   1. Stop the 探花大神 AD Integration Sync Agent service.
   2. Open AD Users & Computers, and manually set the password on the service account.
   3. Open the regedit.exe file.
   4. Browse to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\探花大神\AD Sync\ldap.
   5. Add a new String Value entry called bind_password.
   6. Edit the key, and add the password to the value data field.
   7. Start the 探花大神 AD Integration Sync Agent service.

3. Verify internet connectivity for all DCs. Allowed traffic must use ports 443, 389, 636.

RESOLUTION 2: Error:agent no longer registered, Please uninstall and re-install with a valid connect key

1. From the 探花大神 Admin Console:
   1. Browse to the Domain Agents section in your Active Directory configuration. If it exists, delete the non-functioning Sync Agent.
   2. Under the Details section, click Install a new Sync Agent. Copy the new Connect Key.
2. On the Domain Controller:
   1. Delete the contents of the following folder: C:\Program Files\探花大神\AD Sync\cfg\
   2. Open regedit.exe
   3. Browse to 鈥楥omputer\HKEY_LOCAL_MACHINE\SOFTWARE\探花大神\AD Sync鈥�
   4. Edit the 鈥榗onnect_key鈥� registry entry and replace the current value with the new connect key you just generated.
   5. Start the 探花大神 AD Integration Sync Agent service.

1. When adding new users to Active Directory 探花大神 ADI Security Group (or added to a Security Group which is memberOf the 探花大神 ADI Security Group), verify that the 探花大神 Sync Agent聽is running (green) in the聽 Admin Portal.
2. Users created聽before the installation of the 探花大神 AD Sync Agent will require a password change in order to update 探花大神 with the corresponding password from the AD User Account.

3. Password changes from Active Directory-bound resources, like Windows devices, will not update consistently to 探花大神 if there are聽any聽DCs in the environment that do not currently have the 探花大神 AD Sync Agent installed and running.
4. Verify that password complexity requirements between AD and JC match exactly.

1. Verify that the 探花大神 AD Integration Sync Agent is installed and running properly. If not, see Sync agent showing red in AD Integration side of JC Admin Portal.
2. Verify the username of the user in 探花大神 is 20 characters or less.
3. Verify that the users are added to an AD-bound group in the 探花大神 Admin Portal.
4. Verify that the 探花大神 AD Integration Sync Agent Root User container is configured correctly.
   1. Open the file "C:\Program Files\探花大神\AD Integration\探花大神 AD Sync\adint.config.json" and make note of the DN field.
      
   2. Open the Windows registry and browse to HKEY_LOCAL_MACHINE\SOFTWARE\探花大神\AD Sync\ldap
   3. Compare the user_root_dn value and confirm it matches what is configured within the highlighted section of the file above.

5. Verify that the service account used for the 探花大神 AD Integration Sync Agent has been delegated the proper rights to the Root User Container:
   1. Stop the 探花大神 AD Integration Sync Agent service from services.msc.
   2. Delegate the following rights to the 探花大神 AD Integration Sync Agent service account user for the appropriate target (OU or CN=Users, depending on your AD Import Configuration).
      

6. Start the AD Sync Service from services.msc. 

See the article Convert AD-managed User Accounts.

This can be due to the default service timeout being too short.

1. Launch Windows Registry Editor.
2. Locate this registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
3. Right-click this key and select New > DWORD (32-bit) Value. A new value named New Value #1 appears on the right.
4. Change the name of this new value to ServicesPipeTimeout.
5. Right-click the ServicesPipeTimeout value you created, and choose Modify. The Edit DWORD Value window opens.
6. Change Base to Decimal. 
7. For Value, type 180000 service to start, then click OK.

If you are using 探花大神 with your Active Directory server, leveraging the 探花大神 ADI, you may find that sudo/administrator permissions are periodically lost after you set them within 探花大神. The AD Import agent controls user attributes and membership in 探花大神 via AD security groups, and this is the case for the sudo/admin user setting.

When using the 探花大神 AD Import agent, there are two AD security groups that you use to control behavior in 探花大神. Both need to be created in the Users OU.

1. An integration specific security group - any user or group (or group of groups) placed in this group will be sync'd into 探花大神. 
2. 探花大神 Admins - any user or group (or group of groups) placed in this group will set sudo/administrator permissions on the user in 探花大神.

By adding user admins to the "探花大神 Admins" group, the AD Sync Agent will automatically set and maintain the sudo permissions on the user from that point forward.

Check the password complexity settings in JC match those set in AD.  This can happen when the user sets the password in JC with different complexity settings, and then it is rejected in AD due to it not meeting the AD's password complexity settings.

There is a conflict in global settings and user default settings. Change Users >Settings > Default Password Authority to None (探花大神).

{"error":"rpc error: code = NotFound desc = failed to get agent by
connect key: no agent found for hash of the given connect key",
"level":"error","msg":"registration failed\n",
"time":"2025-03-20T12:33:59.188124Z"}

As of AD Sync Agent 4.33.0, administrators must use a base64 Connect Key. If you are using an older version of the AD Sync Agent (below 4.33.0), the installer only stores the first 50 characters of the Connect Key, which results in the above error. To resolve this issue, do one of the following:

1. Upgrade to AD Sync Agent 4.33.0 or higher.
2. Manually edit the Windows Registry (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\探花大神\AD Integration Sync Agent\connect_key) and paste the entire base64 Connect Key. Then, restart the 探花大神 AD Integration Sync Agent service.

The AD Import agent log file will be similar to below:

Resolution: Rotate the API Key on the AD Server

The AD Import Agent log file can be found here:
 C:\Windows\Temp\探花大神_AD_Integration.log

1. Log in to the  and view the Import agent(s) within Domain Agents tab.
2. Identify each broken connector.
3. Retrieve the API key you stored for the ADI admin account.

4. On each impacted AD server:
   • Log in to the server with a local admin or AD domain admin account.
   • Replace the default value for HKLM\SOFTWARE\探花大神\AD Integration Import Agent\api_key in the registry.
   • Restart the 探花大神 AD Integration Import Agent service.
5. In the 探花大神 Admin Portal, view the Import agents(s) within the Domain Agents tab and verify they are active.
6. Check the logs to ensure that the error does not reoccur.

This error typically indicates an issue with the AD Sync service account, and not the permissions of the user running the installer.

Resolution: Open the ADI Sync log file at C:\Program Files\探花大神\AD Integration\探花大神 AD Sync\探花大神_AD_Sync.log. You may see the following error in the log:

Invalid password error: "error":"could not bind user to LDAP provider: LDAP Result Code 49 \"Invalid Credentials\":

1. Update the stored password for the AD Sync Agent service account.
   • Ensure the service account being used by the AD Sync Agent is enabled, and ensure the password for this account is correct
   • Open the Windows Registry (regedit.exe)
   • Browse to 鈥楥omputer\HKEY_LOCAL_MACHINE\SOFTWARE\探花大神\AD Integration Sync Agent\ldap鈥�
   • Edit the value for the bind_password entry and enter in the correct password for the service account. Once the service starts it will update the 鈥榖ind_password_encrypted鈥� field with the new hashed password and clear the plain text password from the 鈥榖ind_password鈥� field
   • Open Windows Services (services.msc) and locate the 鈥樚交ù笊� AD Integration Sync Agent鈥� service
   • Start the service and then click Retry on the AD Sync Agent installer to allow the installation to complete successfully

1. If it is still in place, remove the 探花大神 AD Integration Sync Agent service:
   • Open an administrative Command Prompt or PowerShell prompt
   • In the prompt type the following command to stop the Sync Agent service if it is running:
     • net stop 鈥溙交ù笊� AD Integration Sync Agent鈥�
   • You should see the message - The 探花大神 AD Integration Sync Agent service was stopped successfully
   • In the same prompt type the following command to remove the service:
     • sc delete 鈥溙交ù笊� AD Integration Sync Agent鈥�
2. Delete the associated registry entry:
   • HKLM\SOFTWARE\探花大神\AD Integration Sync Agent
3. Remove the Sync Agent installation folder by deleting the following folder:
   • C:\Program Files\探花大神\AD Integration\探花大神 AD Sync

Once the service, the registry entries and the installation folder have been removed, you should be able to reinstall the 探花大神 Active Directory Integration Sync agent.