OIM – AD integration : Active Directory Group Lookup Recon failed with error Remote Framework Key is invalid
Oracle Identity Manager (OIM) can be integrated with Microsoft Active Directory (AD) using OIM’s Active Directory User Management (UM) Connector. Steps to deploy Active Directory User Management (AD-UM) Connector are covered in this guide
- For Connector basics : Resources, Reconciliation, and Provisioning click here
- For more information on type of connectors Java vs .NET (dot net) click here
- For OIM connectors for Microsoft (Active Directory, Exchange, andWindows) click here
- For OIM-OID connector architecture click here
- For OIM-Oracle eBusiness Suite connector click here
One of the step after Connector deployment is to run Group and Organization Lookup reconciliation. These reconciliation jobs are executed by running Job Active Directory Group Lookup Recon and Active Directory Organization Lookup Recon. After successful completion of Job, Lookup Definition (in OIM) Lookup.ActiveDirectory.Groups should pull Groups from AD and populate Lookup Code Information. (Similarly Active Directory Organization Lookup Recon job should populate Lookup.ActiveDirectory.Organization from Organizations in AD)
- In my case Job Active Directory Group Lookup Recon failed with error message org.identityconnectors. framework.common. exceptions.Invalid CredentialException: Remote framework key is invalid
.
How 11g Active Directory Connector works :
From connector version 11g onwards, OIM Server communicates to Active Directory Server via Connector Server (OIM Server -> Connector Server -> Active Directory)
Note: Connector Server is mandatory for .Net based connector code in 11g where as for Java based connector code, connector server is optional.
- On Connector Server, you set connector server key by running ConnectorServer.exe /setKey [keyValue] command . When OIM Server communicates to Connector Server, OIM should connect to Connector Server using this key.
C:\Oracle\ConnectorServer>ConnectorServer.exe /setKey connectorserverkey123
- Key set on connector server (ConnectorServer.exe /setKey [keyValue]) must be set in OIM server as well under IT Resource Active Directory Connector Server (Parameter Key) as shown in below screenshots
Root Cause : In my case key set on Connector Server was different than key configured in OIM (under Active Directory Connector Server IT Resource)
Fix: Set key on Connector Server, restart connector server and set same key on OIM server (under Active Directory Connector Server IT Resource). Run job Active Directory Group Lookup Recon and Active Directory Organization Lookup Recon again